Solved: Re: How to resolve Indexer ERROR TcpInputConfig - ...

justynap_ldz · ‎09-28-2022

Hello,

We keep getting the errors from one of our indexers (there are 3 in the cluster, only one is affected):
ERROR TcpInputConfig [60483 TcpListener] - SSL context not found. Will not open splunk to splunk (SSL) IPv4 port 9997

All indexers have the same SSL config:

/opt/splunk/etc/system/local/inputs.conf
[default]
host = z1234

[splunktcp-ssl:9997]
disabled = 0
connection_host = ip

[SSL]
serverCert = /opt/splunk/etc/auth/z1234_server.pem
sslPassword = <password>
requireClientCert = false
sslVersions = tls1.2

We have just found additional input.conf on all indexers: in
/opt/splunk/etc/apps/search/local/inputs.conf
[splunktcp://9997]
connection_host = ip

We deleted this config on all indexers as this is no longer valid and shouldn't be active.
Unfortunately, after splunk restart port 9997 is no longer opened on z1234 host. On other two hosts it is still opened...weird

Any idea what else to check/do to troubleshoot?
Your help will be much appreciated!

Greetings,
Justyna

justynap_ldz · ‎10-11-2022

The solution was to request new cert in company's CA, generate new private key and new certificate chains

View solution in original post

justynap_ldz · ‎10-11-2022

The solution was to request new cert in company's CA, generate new private key and new certificate chains

How to resolve Indexer ERROR TcpInputConfig - SSL context not found? (Won't open Splunk to Splunk (SSL) IPv4 port 9997)

SSL

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation