These logs are from forwarder ?? Seems like indexer and forwarder communication failed in 9997 port. forwarder unable to connect to indexer with 9997 port using SSL. Are you using 3rd party ssl / self sign ssl? anyhow could you please share the configs?
Check the communication by:
telnet
telnet x.x.x.x 997
These are the few steps you can proceed to debug.
remove your ssl and validate the connection.
if the step 1 works you have issue with your SSL configurations.
My wild guess is your configurations on SSL is applied in forwarder but not indexer. since you are forcing forwarder to use SSL to the indexer communication. Have you done anything in indexer??
http://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA
above is some old wiki page.. still you can refer the configurations.
... View more