Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Health

SN1
Path Finder
‎02-11-2025 11:16 PM

Hi I am getting this error.

Root Cause(s):

  • More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all running, and that any SSL certificates being used for forwarding are correct

    i have used telnet as well and it is getting connected.
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-12-2025 07:26 AM

@SN1 

Here is one conf presentation which you probably could use to check if there is local issue or where the issue could be.

https://conf.splunk.com/files/2019/slides/FN1570.pdf

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-12-2025 07:21 AM

@SN1 

  1. Even though telnet is connecting, there might still be network issues or firewall rules affecting the Splunk traffic. Ensure that there are no firewalls blocking the traffic between the forwarders and indexers.
  2. Make sure all your indexers are running and reachable. You can use the Splunk monitoring console to view the status of your indexers.
  3. Check the resource usage on your forwarders and indexers. High CPU or memory usage can sometimes cause forwarding issues.
  4. Then are you using an SSL certificate?
  5. If yes, check the validity and the password of your certificate and that the certificate is used on UFs and IDXs.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2025 05:25 AM

Telnet will tell you if a network connection can be made, but won't say if the Splunk-to-Splunk protocol is working or not.

Have you confirmed all forwarders are running?  Do they have the right outputs.conf settings?  Are their certificates valid?

Have you looked at each forwarder's splunkd.log file to see what connection errors are being reported?

Do you replace forwarders often?  If so, Splunk probably still expects to hear from the old ones and this message may be a false positive.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...