We have recently upgraded the Splunk SearchHead and Indexer to Splunk V6. Since afternoon we are facing below error and no logs are coming on Indexer or Search head.
1. Search peer lonrs10215 has the following message: Tcp output pipeline blocked. Attempt '400' to insert data failed.
I looked at the splunkd.log on indexer and can see below error message:( 11.192.36.204 is the Indexer server lonrs10215 mentioned in above error)
01-07-2014 18:10:33.233 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused
01-07-2014 18:10:33.234 +0000 ERROR TcpOutputFd - Connection to host=11.192.36.204:9997 failed
01-07-2014 18:11:03.235 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused
01-07-2014 18:11:03.235 +0000 ERROR TcpOutputFd - Connection to host=11.192.36.204:9997 failed
01-07-2014 18:11:23.237 +0000 WARN TcpOutputProc - Shutdown timed out for 11.192.36.204:9997
01-07-2014 18:11:23.237 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused
01-07-2014 18:11:23.237 +0000 ERROR TcpOutputFd - Connection to host=11.192.36.204:9997 failed
01-07-2014 18:11:23.421 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused
When i tried the command (netstat -an | grep 9997) on indexer I can see its connecting and have established connections:
tcp 24778 0 11.192.36.204:9997 11.182.8.168:2621 ESTABLISHED
tcp 1304190 0 11.192.36.204:9997 11.182.8.168:2620 ESTABLISHED
tcp 1613142 0 11.192.36.204:9997 11.192.36.204:46875 ESTABLISHED
Can you please suggest to resolve this?
Thanks
Nik
Someone else had this issue:
http://answers.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer
Nik, did you get any response on this? I'm seeing the same error message and haven't had any luck tracking it down.