My customer use splunk UF with stream app. (Splunk 6.4.3, App for stream : 6.6.1)
When I started UF, stream:stats event received successfully, but after few days it cannot received suddenly.
Only this event will not be collected and the other event(captured packet event) will be received normally.
So, when I restart UF, everything is Okay.
streamfwd.log have not any information for stop the stream:stats event.
Would you tell me about the transfer process for stream:stats event?
Unlike the regular stream events, stream:stats events get sent to the _internal log. Do you have other events from the _internal log on your UF being forwarded consistently?
Yes, other events are forwarded consistently. (ex, splunkd.log, streamfwd.log)
When I restart UF splunk, it sends the events again.
But, after few days( 2~4 days) suddenly stop to send only stream:stats event.
In addition, our customer have 150 UF with stream app and 17~20 sites are forwarded normally.
Is the number of sites a problem?