https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-stop-Forwarding/m-p/109265#M22980 <P>How did you set your forwarder? Using a Deployment Manager?</P> <P>Also what O/S is it running on? I've seen some similar behaviour on Windows forwarders in the past.</P> Wed, 13 May 2015 19:26:28 GMT Stefan 2015-05-13T19:26:28Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-stop-Forwarding/m-p/109263#M22978 <P>Im using Splunk Cloud, </P> <P>and every once in a while, im getting this error </P> <P>05-13-2015 09:10:34.891 -0400 WARN TcpOutputProc - Forwarding to indexer group splunkcloud blocked for 207000 seconds.</P> <P>After that, my indexer is not indexing anymore.<BR /> Inside the log, I continue to see thing like this : </P> <P>05-13-2015 09:07:16.757 -0400 WARN TcpOutputProc - Possible duplication of events with channel=source::WMI:AllReplicatedFolder|host::server1|WMI:AllReplicatedFolder|53003616, streamId=12722903640634641263, offset=516887 subOffset=1 on host=54.174.234.168:9997<BR /> 05-13-2015 09:07:16.757 -0400 WARN TcpOutputProc - Possible duplication of events with channel=source::WMI:AllReplicatedFolder|host::server1|WMI:AllReplicatedFolder|53003616, streamId=12722903640634641263, offset=298120 subOffset=1 on host=54.174.234.168:9997</P> <P>So I guess the forwarder continue to gather informations from differents servers.</P> <P>I have to restart the service to make the cloud index again.</P> <P>This universal forwarder is making WMI request to 30 differents server and push information to the cloud.<BR /> I have the exact same wmi.conf file on a "local test machine" wich is splunk enterprise 6.2.2 and it never stoped to index the same information.</P> <P>Any one have the solution ? Thanks</P> Wed, 13 May 2015 13:19:43 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-stop-Forwarding/m-p/109263#M22978 jeanfrederic 2015-05-13T13:19:43Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-stop-Forwarding/m-p/109264#M22979 <P>For some reason, It turned to be my Universal Forwarder that was sending "duplicate" by itself.</P> <P>My Splunk Enterprise Index was all right, around 2200 entries... and My Splunk Cloud was having 1 200 000 entries.<BR /> They both use the same wmi.conf</P> <P>I dont know why I was having those duplicate.</P> Wed, 13 May 2015 19:17:37 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-stop-Forwarding/m-p/109264#M22979 jeanfrederic 2015-05-13T19:17:37Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-stop-Forwarding/m-p/109265#M22980 <P>How did you set your forwarder? Using a Deployment Manager?</P> <P>Also what O/S is it running on? I've seen some similar behaviour on Windows forwarders in the past.</P> Wed, 13 May 2015 19:26:28 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-stop-Forwarding/m-p/109265#M22980 Stefan 2015-05-13T19:26:28Z