Splunk troubleshooting – forwarder

Splunk Troubleshooting – Forwarder Welcome to the first installment in our new Splunk troubleshooting series. As Splunk professionals we know that there are issues that are not covered in the Splunk Tutorials and guides. Splunk Answers can be a valuable resource at times but still it can suck up some precious time trying to find the guidance you need. So to save you time and provide you with the knowledge you need to tackle some of the most common Splunk issues we have created this blog series for you, the Splunk professional. We are Splunk experts and Splunk professional services partners with the experience and knowledge to assist with your Splunk deployment in any environment. Splunk: Troubleshooting Forwarder Communications (for the purposes of this article we will be working with *nix based nodes) While Splunk can be a very powerful tool for harnessing the true power of your log data, sometimes setting up communication between your forwarders and indexers can prove challenging. Below we explore some of the more common errors you may encounter and how to bring these issues to resolution. Timeouts in Cooked Connections within splunkd.log Splunk Error Code: (WARN TcpOutputProc – Cooked connection to ip= 255.255.255.255 timed out) This is the most common error encountered when troubleshooting Splunk forwarder communications and can be one of the most frustrating. To determine if this is the error causing your issues, you can simply take a look at the most recent events within the splunkd.log file. tail -100f splunkd.log | grep TcpOutputProc