https://community.splunk.com/t5/Getting-Data-In/8-0-1-upgraded-Heavy-Forwarder-TcpOutputProc-Possible/m-p/480531#M82380 <P>We have a support ticket open, but I thought I'd also ask the community. Since upgrading our Splunk to 8.0.1 this one HF has been spewing "TcpOutputProc - Possible duplication of events " for most channels. As well as "TcpOutputProc - Applying quarantine to ip=xx.xx.xx.xx port=9998 _numberOfFailures=2"</P> <P>We upgraded on the 15th near midnight. This is a count of those the errors from that host. <BR /> 2020-02-14 0<BR /> 2020-02-15 623<BR /> 2020-02-16 923874<BR /> 2020-02-17 396920<BR /> 2020-02-18 678568<BR /> 2020-02-19 602100<BR /> 2020-02-20 459284<BR /> 2020-02-21 1177642</P> <P>Here is a count from the indexer cluster showing the number of blocked=true events. One would expect these to be similar in count if the indexers were telling the HF to go elsewhere because it's queues were full. </P> <P>index=_internal host=INDEXERNAMES sourcetype=splunkd source=/opt/splunk/var/log/splunk/metrics.log blocked=true component=Metrics<BR /> | timechart span=1d count by source</P> <P>2020-02-14 7<BR /> 2020-02-15 180<BR /> 2020-02-16 260<BR /> 2020-02-17 15<BR /> 2020-02-18 18<BR /> 2020-02-19 2415<BR /> 2020-02-20 1<BR /> 2020-02-21 2</P> <P>Lastly, it's not just one source or channel, it's everything from the host.</P> <P>index=_internal component=TcpOutputProc host=ghdsplfwd01lps log_level=WARN duplication<BR /> | rex field=event_message "channel=source::(?[^|]+)"<BR /> | stats count by channel</P> <P>/opt/splunk/var/log/introspection/disk_objects.log 51395<BR /> /opt/splunk/var/log/introspection/resource_usage.log 45470<BR /> mule-prod-analytics 42192<BR /> /opt/splunk/var/log/splunk/metrics.log 28283<BR /> web_ping://PROD_CommerceHub 27881<BR /> web_ping://V8_PROD_CustomSolr5 27877<BR /> web_ping://V8_PROD_WebServer4 27873<BR /> web_ping://EnterWorks PRD 27871<BR /> web_ping://RTP DEV 27870<BR /> web_ping://Ensighten 27869<BR /> web_ping://RTP 27867<BR /> bandwidth 20570<BR /> cpu 19949<BR /> iostat 19946<BR /> ps 19821</P> <P>Any ideas? </P> Wed, 30 Sep 2020 04:22:39 GMT JDukeSplunk 2020-09-30T04:22:39Z https://community.splunk.com/t5/Getting-Data-In/8-0-1-upgraded-Heavy-Forwarder-TcpOutputProc-Possible/m-p/480531#M82380 <P>We have a support ticket open, but I thought I'd also ask the community. Since upgrading our Splunk to 8.0.1 this one HF has been spewing "TcpOutputProc - Possible duplication of events " for most channels. As well as "TcpOutputProc - Applying quarantine to ip=xx.xx.xx.xx port=9998 _numberOfFailures=2"</P> <P>We upgraded on the 15th near midnight. This is a count of those the errors from that host. <BR /> 2020-02-14 0<BR /> 2020-02-15 623<BR /> 2020-02-16 923874<BR /> 2020-02-17 396920<BR /> 2020-02-18 678568<BR /> 2020-02-19 602100<BR /> 2020-02-20 459284<BR /> 2020-02-21 1177642</P> <P>Here is a count from the indexer cluster showing the number of blocked=true events. One would expect these to be similar in count if the indexers were telling the HF to go elsewhere because it's queues were full. </P> <P>index=_internal host=INDEXERNAMES sourcetype=splunkd source=/opt/splunk/var/log/splunk/metrics.log blocked=true component=Metrics<BR /> | timechart span=1d count by source</P> <P>2020-02-14 7<BR /> 2020-02-15 180<BR /> 2020-02-16 260<BR /> 2020-02-17 15<BR /> 2020-02-18 18<BR /> 2020-02-19 2415<BR /> 2020-02-20 1<BR /> 2020-02-21 2</P> <P>Lastly, it's not just one source or channel, it's everything from the host.</P> <P>index=_internal component=TcpOutputProc host=ghdsplfwd01lps log_level=WARN duplication<BR /> | rex field=event_message "channel=source::(?[^|]+)"<BR /> | stats count by channel</P> <P>/opt/splunk/var/log/introspection/disk_objects.log 51395<BR /> /opt/splunk/var/log/introspection/resource_usage.log 45470<BR /> mule-prod-analytics 42192<BR /> /opt/splunk/var/log/splunk/metrics.log 28283<BR /> web_ping://PROD_CommerceHub 27881<BR /> web_ping://V8_PROD_CustomSolr5 27877<BR /> web_ping://V8_PROD_WebServer4 27873<BR /> web_ping://EnterWorks PRD 27871<BR /> web_ping://RTP DEV 27870<BR /> web_ping://Ensighten 27869<BR /> web_ping://RTP 27867<BR /> bandwidth 20570<BR /> cpu 19949<BR /> iostat 19946<BR /> ps 19821</P> <P>Any ideas? </P> Wed, 30 Sep 2020 04:22:39 GMT https://community.splunk.com/t5/Getting-Data-In/8-0-1-upgraded-Heavy-Forwarder-TcpOutputProc-Possible/m-p/480531#M82380 JDukeSplunk 2020-09-30T04:22:39Z https://community.splunk.com/t5/Getting-Data-In/8-0-1-upgraded-Heavy-Forwarder-TcpOutputProc-Possible/m-p/480532#M82381 <P>The HF is still "sick" but here are some things we did that seemed to help.</P> <OL> <LI>Edited the outputs.conf that this HF used to output to forwarders within it's own site. </LI> <LI>Removed useACK=true from outputs.conf </LI> </OL> <P>I'm a little concerned about #2 there. We could still be having issues with the outputs, only now the events are being dropped on the floor. In other words the condition may still be present, we have simply turned off the logging by removing useAck. </P> Fri, 06 Mar 2020 15:11:26 GMT https://community.splunk.com/t5/Getting-Data-In/8-0-1-upgraded-Heavy-Forwarder-TcpOutputProc-Possible/m-p/480532#M82381 JDukeSplunk 2020-03-06T15:11:26Z https://community.splunk.com/t5/Getting-Data-In/8-0-1-upgraded-Heavy-Forwarder-TcpOutputProc-Possible/m-p/480533#M82382 <P>Hi</P> <P>If you have many separate transforms on props.conf for individual source/source type etc. try to combine those to one line e.g.</P> <P>TRANSFORMS-foo = foo1<BR /> TRANSFORMS-bar = bar1</P> <P>To</P> <P>TRANSFORMS-foobar = foo1, bar1</P> <P>This helps in our case after update 6.6.5 to 7.3.3.</P> <P>Ismo</P> Fri, 06 Mar 2020 18:57:37 GMT https://community.splunk.com/t5/Getting-Data-In/8-0-1-upgraded-Heavy-Forwarder-TcpOutputProc-Possible/m-p/480533#M82382 isoutamo 2020-03-06T18:57:37Z