Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Health

SN1
Path Finder
‎02-11-2025 11:16 PM

Hi I am getting this error.

Root Cause(s):

  • More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all running, and that any SSL certificates being used for forwarding are correct

    i have used telnet as well and it is getting connected.
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-12-2025 07:26 AM

@SN1 

Here is one conf presentation which you probably could use to check if there is local issue or where the issue could be.

https://conf.splunk.com/files/2019/slides/FN1570.pdf

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-12-2025 07:21 AM

@SN1 

  1. Even though telnet is connecting, there might still be network issues or firewall rules affecting the Splunk traffic. Ensure that there are no firewalls blocking the traffic between the forwarders and indexers.
  2. Make sure all your indexers are running and reachable. You can use the Splunk monitoring console to view the status of your indexers.
  3. Check the resource usage on your forwarders and indexers. High CPU or memory usage can sometimes cause forwarding issues.
  4. Then are you using an SSL certificate?
  5. If yes, check the validity and the password of your certificate and that the certificate is used on UFs and IDXs.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2025 05:25 AM

Telnet will tell you if a network connection can be made, but won't say if the Splunk-to-Splunk protocol is working or not.

Have you confirmed all forwarders are running?  Do they have the right outputs.conf settings?  Are their certificates valid?

Have you looked at each forwarder's splunkd.log file to see what connection errors are being reported?

Do you replace forwarders often?  If so, Splunk probably still expects to hear from the old ones and this message may be a false positive.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...