https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336034#M62131 <P>thanks! i'll try when it happens again!</P> Mon, 30 Oct 2017 05:14:46 GMT hkizuka 2017-10-30T05:14:46Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336030#M62127 <P>I've got an issue with HF not sending the logs to indexer.<BR /> Does anyone have experience with something like this?</P> <P>HF was sending the log to indexer as it should until yesterday.<BR /> at one moment, indexer OS somehow got shutdown and HF didn't send any logs including internal logs even after the indexer was booted and connection was established.</P> <P>HF:Windows Server 2012<BR /> indexer:Windows Server 2016<BR /> Splunk version : 6.6.3</P> <P>when I checked splunkd.log in HF, I saw logs written as below</P> <HR /> <P>10-27-2017 09:07:18.938 +0900 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group splunk01 has been blocked for 49250 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.<BR /> 10-27-2017 09:07:22.168 +0900 INFO TcpOutputProc - Removing quarantine from idx=xxx.xxx.xxx.xxx:9997<BR /> 10-27-2017 09:07:22.199 +0900 INFO TcpOutputProc - Connected to idx=xxx.xxx.xxx.xxx:9997, pset=0, reuse=0.<BR /> 10-27-2017 09:07:22.714 +0900 INFO TailReader - ...continuing.<BR /> 10-27-2017 09:07:22.885 +0900 INFO LMStackMgr - should rollover=true because _lastRolloverTime=1508943600 lastRolloverDay=1508943600 snappedNow=1509030000<BR /> 10-27-2017 09:07:22.901 +0900 INFO LMStackMgr - finished rollover, new lastRolloverTime=1509062842</P> <HR /> <P>it seems like HF did not read the new log file which it should.<BR /> after i reboot the HF splunkd, it started to send all logs again.</P> <P>does anyone have any idea for the work-around other than rebooting HF's splunkd?</P> Fri, 27 Oct 2017 06:18:51 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336030#M62127 hkizuka 2017-10-27T06:18:51Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336031#M62128 <P>are you connected to your Indexers directly or using indexerDiscovery?</P> Fri, 27 Oct 2017 12:02:36 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336031#M62128 koshyk 2017-10-27T12:02:36Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336032#M62129 <P>Did you try reloading the inputs?</P> <P>./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme</P> <P>It might help.</P> Tue, 29 Sep 2020 16:30:12 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336032#M62129 peterchenadded 2020-09-29T16:30:12Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336033#M62130 <P>looking at the indexer directly.</P> Mon, 30 Oct 2017 05:14:01 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336033#M62130 hkizuka 2017-10-30T05:14:01Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336034#M62131 <P>thanks! i'll try when it happens again!</P> Mon, 30 Oct 2017 05:14:46 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-sending-logs-Windows/m-p/336034#M62131 hkizuka 2017-10-30T05:14:46Z