https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/152639#M31068 <P>Currently, I have 2 seperate clusters. One 'old' 6.0 cluster, and a new cluster for 6.2.<BR /> The idea is to have our forwarders forwarding to both clusters at the same time. I modified the outputs.conf on the forwarders, and can see events coming in on both clusters. So far, so good.</P> <P>When I take a closer look, I can see events dropping on most forwarders:<BR /> index=_internal sourcetype=splunkd "has begun dropping events"</P> <P>I can't find the root cause of this. No queues are blocked, network seems to be ok, and the indexers (both clusters) are fine too. Also, when I look closer on the local queues, I cannot see any alarming levels as well. No throtteling either (no maxkbps messages)<BR /> index=_internal source="/opt/splunkforwarder/var/log/splunk/metrics.log" group=queue current_size_kb&gt;0</P> <P>Only message that occurs frequently is "File descriptor cache is full (100), trimming". For what I could find, it should be regarderd as an informational message, not really harming anything.</P> <P>Who can help me out to find the actual bottleneck?</P> Mon, 28 Sep 2020 20:14:58 GMT renems 2020-09-28T20:14:58Z https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/152639#M31068 <P>Currently, I have 2 seperate clusters. One 'old' 6.0 cluster, and a new cluster for 6.2.<BR /> The idea is to have our forwarders forwarding to both clusters at the same time. I modified the outputs.conf on the forwarders, and can see events coming in on both clusters. So far, so good.</P> <P>When I take a closer look, I can see events dropping on most forwarders:<BR /> index=_internal sourcetype=splunkd "has begun dropping events"</P> <P>I can't find the root cause of this. No queues are blocked, network seems to be ok, and the indexers (both clusters) are fine too. Also, when I look closer on the local queues, I cannot see any alarming levels as well. No throtteling either (no maxkbps messages)<BR /> index=_internal source="/opt/splunkforwarder/var/log/splunk/metrics.log" group=queue current_size_kb&gt;0</P> <P>Only message that occurs frequently is "File descriptor cache is full (100), trimming". For what I could find, it should be regarderd as an informational message, not really harming anything.</P> <P>Who can help me out to find the actual bottleneck?</P> Mon, 28 Sep 2020 20:14:58 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/152639#M31068 renems 2020-09-28T20:14:58Z https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/152640#M31069 <P>Might be useful, the actual error msg:<BR /> 06-10-2015 14:00:25.833 +0200 INFO TcpOutputProc - Queue for group splunknw has begun dropping events<BR /> 06-10-2015 14:00:25.833 +0200 INFO TcpOutputProc - Queue for group splunknw has stopped dropping events<BR /> 06-10-2015 14:00:34.829 +0200 INFO TcpOutputProc - Queue for group splunknw has begun dropping events</P> Wed, 10 Jun 2015 14:16:28 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/152640#M31069 renems 2015-06-10T14:16:28Z https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/521613#M88130 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/63819">@renems</a>&nbsp;, were you&nbsp; able to find any&nbsp; root cause with this???</P> Sat, 26 Sep 2020 15:46:41 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/521613#M88130 hectorvp 2020-09-26T15:46:41Z https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/563135#M100334 <P>2nd such post with no resolution <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Fri, 13 Aug 2021 03:13:02 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-dropping-events/m-p/563135#M100334 dm1 2021-08-13T03:13:02Z