https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96286#M20075 <P>It's a shot in the dark without more information, but I had this issue before. Are you using the deployment server in your environment? Is it possible your forwarders' outputs.conf got deployed to your indexer?</P> <P>On the indexer:<BR /> ./splunk cmd btool outputs list --debug</P> <P>See if you're somehow looping your inputs back to itself.</P> Thu, 12 Jul 2012 17:40:17 GMT mikelanghorst 2012-07-12T17:40:17Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96282#M20071 <P>I upgraded to 4.3.3 on an indexer that never had any problems before this point in time and now the indexer is dropping all forwarded events on the floor with messages like this</P> <PRE><CODE>07-11-2012 12:44:17.568 -0500 INFO TcpInputProc - Stopping IPv4 port 9997 07-11-2012 12:44:17.568 -0500 WARN TcpInputProc - Stopping all listening ports. Queues blocked for more than 300 seconds </CODE></PRE> <P>I've seen similar questions appear like this on splunkanswers, but the suggested resolutions (involving fishbucket) dont seem to apply to my case?</P> <P>I turned on splunk debugging, but it doesn't lead me to any better conclusions.</P> <P>What queues is it referring to? The box is ripe with CPU, disk, and RAM. It cant possibly be overloaded; it's not <EM>doing</EM> anything.</P> <P>Support is being a lame duck; taking their time staring at walls. In the meantime my primary splunk indexer is not indexing anything because it's not receiving anything from the forwarders.</P> <P>Does anyone have any clues as to where I could look? If it's not resolved by tomorrow I'm re-installing splunk on the primary indexer as this is not something that can wait.</P> <P>Thanks in advance for any help and guidance you can provide.</P> Thu, 12 Jul 2012 02:14:40 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96282#M20071 caphrim007 2012-07-12T02:14:40Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96283#M20072 <P>The queues that are mentioned by that message are those that lead into the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline">data pipelines</A> where splunkd shapes your data into events before indexing those on disk.</P> <P>This message would indicate that there is a bottleneck in one of those pipelines, which causes the queue that feeds it and all queues upstream to fill up, all the way to the queue that accepts incoming events from forwarders (splunktcpin).</P> <P>This is obviously undesirable, but keep in mind that your forwarder events are <EM>not</EM> being dropped. Instead, the forwarders will pause their data inputs and resume once the indexer is able to process data again.</P> <P>When seeing such a message, the first thing that you should do is to determine the fill percentage of the queues leading to the 4 main data pipelines : parsing -&gt; merging -&gt; typing -&gt; indexing.</P> <P>By determining which is the most downstream queue to be saturated, you can get an idea of why there is a bottleneck there.</P> <P>A simple way to gain visibility of the state of event-processing queues is to use the "indexing performance" view of the <A href="http://www.splunk.com/goto/sos">Splunk on Splunk app</A>. For details on how to install the app, check <A href="http://splunk-base.splunk.com/answers/38091">this Splunk Answer</A>.</P> <P>If you can post a screenshot showing the panels of that view, I can try to help you further.</P> <P>Incidentally, what is the case number that you opened with Splunk support? I can check in on it for you.</P> Thu, 12 Jul 2012 04:59:13 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96283#M20072 hexx 2012-07-12T04:59:13Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96284#M20073 <P>Appears I have it installed, but when going to use it, I get this error.</P> <P>Splunk encountered the following unknown module: "sosFTR" . The view may not load properly</P> Thu, 12 Jul 2012 11:30:24 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96284#M20073 caphrim007 2012-07-12T11:30:24Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96285#M20074 <P>Sideview Utils. Next time I'll read before asking</P> Thu, 12 Jul 2012 11:37:22 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96285#M20074 caphrim007 2012-07-12T11:37:22Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96286#M20075 <P>It's a shot in the dark without more information, but I had this issue before. Are you using the deployment server in your environment? Is it possible your forwarders' outputs.conf got deployed to your indexer?</P> <P>On the indexer:<BR /> ./splunk cmd btool outputs list --debug</P> <P>See if you're somehow looping your inputs back to itself.</P> Thu, 12 Jul 2012 17:40:17 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96286#M20075 mikelanghorst 2012-07-12T17:40:17Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96287#M20076 <P>That would be consistent with the high-level symptom described.</P> Thu, 12 Jul 2012 18:03:58 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96287#M20076 hexx 2012-07-12T18:03:58Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96288#M20077 <P>I try to avoid staring at walls whenever I can <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 05 Feb 2015 22:17:20 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96288#M20077 KpiBuff 2015-02-05T22:17:20Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96289#M20078 <P>What was the issue? Please help.. We are facing same issue.. If this is resolved, can you please give snippet of inputs. Conf and output. Conf files.. </P> Thu, 25 May 2017 14:11:59 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96289#M20078 k_harini 2017-05-25T14:11:59Z https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96290#M20079 <P>Tat was the issue for me.. Looping back to itself </P> Sat, 27 May 2017 02:11:49 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-closing-TCP-port-9997-forwarder-port/m-p/96290#M20079 k_harini 2017-05-27T02:11:49Z