topic Re: splunk forwarders using too many sockets in Getting Data In https://community.splunk.com/t5/Getting-Data-In/splunk-forwarders-using-too-many-sockets/m-p/131946#M97798 <P>My indexer ports are receiving data. It looks fine. The problem is in the forwarder machine which is exhausting socket availability. No other ports were initially set</P> Thu, 07 Nov 2013 08:25:26 GMT dtekas 2013-11-07T08:25:26Z splunk forwarders using too many sockets https://community.splunk.com/t5/Getting-Data-In/splunk-forwarders-using-too-many-sockets/m-p/131944#M97796 <P>I have the following config in outputs.conf for splunk forwarder installed on a linux machine.</P> <P>connectionTimeout = 20<BR /> defaultGroup = default-autolb-group<BR /> dropEventsOnQueueFull = -1<BR /> indexAndForward = false<BR /> maxConnectionsPerIndexer = 2<BR /> maxFailuresPerInterval = 2<BR /> maxQueueSize = 500KB<BR /> readTimeout = 300<BR /> secsInFailureInterval = 1<BR /> useACK = false<BR /> writeTimeout = 300</P> <P>[tcpout:default-autolb-group]<BR /> autoLB = true<BR /> autoLBFrequency = 30<BR /> compressed = false</P> <P>The forwarder is sending some historical logs too of past few months. As soon as splunk is started lot of processes on that machine cannot process due to lack of open ports as forwarder is using a lot of sockets i guess.<BR /> Is there anyway to limit the number of sockets it use? </P> Thu, 07 Nov 2013 06:39:21 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarders-using-too-many-sockets/m-p/131944#M97796 dtekas 2013-11-07T06:39:21Z Re: splunk forwarders using too many sockets https://community.splunk.com/t5/Getting-Data-In/splunk-forwarders-using-too-many-sockets/m-p/131945#M97797 <P>Check for any unused ports where initially data was configured to be received but later on stopped for some reason<BR /> you may remove those unused port using "splunk remove udp (or tcp) port#&gt;</P> <P>bit of housekeeping stuff might just help</P> Thu, 07 Nov 2013 07:33:11 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarders-using-too-many-sockets/m-p/131945#M97797 rawatvineet 2013-11-07T07:33:11Z Re: splunk forwarders using too many sockets https://community.splunk.com/t5/Getting-Data-In/splunk-forwarders-using-too-many-sockets/m-p/131946#M97798 <P>My indexer ports are receiving data. It looks fine. The problem is in the forwarder machine which is exhausting socket availability. No other ports were initially set</P> Thu, 07 Nov 2013 08:25:26 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarders-using-too-many-sockets/m-p/131946#M97798 dtekas 2013-11-07T08:25:26Z