Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

"Connection was reset" when trying to make an API request using CURL

tomapatan
Contributor
‎02-26-2025 06:14 AM

Hi,

I`m trying to make an API request from my local machine to our Splunk Cloud instance, without much success.
Checked the Firewall logs and I can`t see any blocked/denied traffic.

Using:
-  curl 7.29.0

- nss-3.90

Error received:

 

* Host myDomain.splunkcloud.com:8089 was resolved.
* IPv6: (none)
* IPv4: xx.xx.xx.xxx
*   Trying xx.xx.xx.xxx:8089...
* Connected to myDomain.splunkcloud.com (xx.xx.xx.xxx) port 8089
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* Recv failure: Connection was reset
* schannel: failed to receive handshake, SSL/TLS connection failed
* closing connection #0
curl: (35) Recv failure: Connection was reset

 

 

Labels (1)
Labels
0 Karma
Reply

99eaglez
Explorer
‎03-19-2025 07:23 AM

Depending on your environment you may need to add an environmental variable for a proxy server.

This allows apps to be "proxy aware" in cases where they are not.

You can test it out on windows using the setx command.

setx https_proxy <your proxy server ip>:443
setx http_proxy <your proxy server ip>:443

I know what your are thinking - "it is over port 8089" not "443" but try it out, it worked for me.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-26-2025 06:54 AM

Hi @tomapatan 

You mentioned that there are no blocks on your internal firewall - are there multiple egress IPs that your connection can connect out on? Are all possible egress IPs allow-listed in Splunk Cloud for Mgmt port / API access to the SHs? 

If you havent already, you can configure the allow list via:
Splunk Web - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Admin/ConfigureIPAllowList

ACS API - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ConfigureIPAllowList

ACS CLI - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ACSCLI

 

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

tomapatan
Contributor
‎02-26-2025 07:15 AM

Thanks Will,

I`ve already configured the allow list, although you made a valid point and there`s a high chance that I`ve not listed all possible IPs - something I need to look at.

I had another look at the firewall logs and found a field called vendor_action=server-rst - I would imagine this means the connection was reset by the server, although not entirely sure why.

tomapatan_0-1740582489049.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...