https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-restart-heavy-forwarder/m-p/479548#M82276 <P>Got an alert for a HF restarting and trying to find the root cause of unexpected restart. I'm using the search below and the results shown are at the start of the event which led to the "Starting Splunk server daemon (splunkd)... " alert</P> <PRE><CODE>index=_internal source="/opt/splunk/var/log/splunk/splunkd_st*" host=MYHF </CODE></PRE> <P>Results:</P> <PRE><CODE> 4/22/20 1:14:38.000 PM Checking prerequisites... 4/22/20 1:14:38.000 PM Splunk&gt; The IT Search Engine. 4/22/20 1:14:38.000 PM splunkd is not running. [FAILED] 4/22/20 1:14:34.824 PM 2020-04-22 13:14:34.824 -0400 splunkd started (build 6db836e2fb9e) pid=25388 4/22/20 1:14:34.000 PM Bypassing local license checks since this instance is configured with a remote license master. </CODE></PRE> <P>Is there anywhere I could look that could give a more specific reason as to why the HF restarted?</P> <P>Thanks in advance</P> Wed, 22 Apr 2020 17:53:37 GMT wwhite12 2020-04-22T17:53:37Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-restart-heavy-forwarder/m-p/479548#M82276 <P>Got an alert for a HF restarting and trying to find the root cause of unexpected restart. I'm using the search below and the results shown are at the start of the event which led to the "Starting Splunk server daemon (splunkd)... " alert</P> <PRE><CODE>index=_internal source="/opt/splunk/var/log/splunk/splunkd_st*" host=MYHF </CODE></PRE> <P>Results:</P> <PRE><CODE> 4/22/20 1:14:38.000 PM Checking prerequisites... 4/22/20 1:14:38.000 PM Splunk&gt; The IT Search Engine. 4/22/20 1:14:38.000 PM splunkd is not running. [FAILED] 4/22/20 1:14:34.824 PM 2020-04-22 13:14:34.824 -0400 splunkd started (build 6db836e2fb9e) pid=25388 4/22/20 1:14:34.000 PM Bypassing local license checks since this instance is configured with a remote license master. </CODE></PRE> <P>Is there anywhere I could look that could give a more specific reason as to why the HF restarted?</P> <P>Thanks in advance</P> Wed, 22 Apr 2020 17:53:37 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-restart-heavy-forwarder/m-p/479548#M82276 wwhite12 2020-04-22T17:53:37Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-restart-heavy-forwarder/m-p/479549#M82277 <P>The actual log of "Starting splunk server daemon (splunkd)... " also came in the query results but I only included the oldest events as they all happened at the same time but the most recent events were just Splunk preliminary restart procedures</P> Wed, 22 Apr 2020 17:55:23 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-restart-heavy-forwarder/m-p/479549#M82277 wwhite12 2020-04-22T17:55:23Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-restart-heavy-forwarder/m-p/479550#M82278 <P>Hello @wwhite12,</P> <P>among several reasons, it could be the "Forwarder Mangement" which can restart Splunkd when an app is deployed.</P> Wed, 22 Apr 2020 18:14:05 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-restart-heavy-forwarder/m-p/479550#M82278 PavelP 2020-04-22T18:14:05Z