https://community.splunk.com/t5/Getting-Data-In/Indexer-stops-receiving-data-from-forwarders/m-p/252638#M99189 <P>nice work!</P> Fri, 18 Mar 2016 19:13:18 GMT muebel 2016-03-18T19:13:18Z https://community.splunk.com/t5/Getting-Data-In/Indexer-stops-receiving-data-from-forwarders/m-p/252637#M99188 <P>This is less of a question and more of a record on Splunk Answers of an issue we ran into.</P> <P><STRONG>Symptoms:</STRONG><BR /> You are on Red Hat 6.6, 7.0, or 7.1</P> <P>The Indexer stops receiving data from Forwarders, but looks to be up and running fine otherwise. In a sense it seems stuck for our TCP input port on <EM>splunkd</EM>. For example, the Indexer still participates as a peer for any searches, and the Indexer also looks to continue indexing any data generated locally - internal Splunk logs or scripted inputs running on that Indexer. Essentially the TCP input port is bad, but the <EM>splunkd</EM> admin port is fine.</P> <P>When running the following search, any Indexers having this problem would show up has having 1 or 0 Distinct Hosts since they weren't able to receive anything from Forwarders:</P> <PRE><CODE>index=_internal sourcetype=splunkd earliest=-15m | stats count as event_count, dc(host) as distinct_hosts by splunk_server </CODE></PRE> <P>Also, we would notice a lot of TCP connections sitting in a CLOSE_WAIT or SYN_RECV state when running <EM>netstat -an</EM> on the Indexer.</P> <P><STRONG>Workaround:</STRONG></P> <P>Use <EM>pstack</EM> to dump a list of processes associated with <EM>splunkd</EM>. This will magically fix things without having to restart the Indexer:</P> <PRE><CODE>pstack `head -1 $SPLUNK_HOME/var/run/splunk/splunkd.pid` </CODE></PRE> <P><STRONG>Solution:</STRONG></P> <P>There is a bug in Red Hat that causes things to go awry:</P> <P><A href="https://access.redhat.com/solutions/1386323" target="_blank">https://access.redhat.com/solutions/1386323</A></P> <P>In our case, the solution was to patch from kernel <STRONG>2.6.32-504.8.1</STRONG> to <STRONG>2.6.32-504.16.2</STRONG></P> <P><STRONG>Environment Details:</STRONG><BR /> - <STRONG>Splunk</STRONG>: 6.2.5 (build 272645)<BR /> - <STRONG>OS</STRONG>: Red Hat Linux 2.6.32-504.8.1.el6.x86_64 #1 SMP Fri Dec 19 12:09:25 EST 2014 x86_64 x86_64 x86_64 GNU/Linux<BR /> - <STRONG>HW</STRONG>: Cisco UCS C240</P> Tue, 29 Sep 2020 09:08:28 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-stops-receiving-data-from-forwarders/m-p/252637#M99188 jhupka 2020-09-29T09:08:28Z https://community.splunk.com/t5/Getting-Data-In/Indexer-stops-receiving-data-from-forwarders/m-p/252638#M99189 <P>nice work!</P> Fri, 18 Mar 2016 19:13:18 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-stops-receiving-data-from-forwarders/m-p/252638#M99189 muebel 2016-03-18T19:13:18Z https://community.splunk.com/t5/Getting-Data-In/Indexer-stops-receiving-data-from-forwarders/m-p/252639#M99190 <P>Solution:</P> <P>There is a bug in Red Hat that causes things to go awry:</P> <P><A href="https://access.redhat.com/solutions/1386323">https://access.redhat.com/solutions/1386323</A></P> <P>In our case, the solution was to patch from kernel 2.6.32-504.8.1 to 2.6.32-504.16.2</P> Fri, 18 Mar 2016 19:35:07 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-stops-receiving-data-from-forwarders/m-p/252639#M99190 jhupka 2016-03-18T19:35:07Z