All Apps and Add-ons

Stream:stats suddenly stop

Explorer

Hi,

My customer use splunk UF with stream app. (Splunk 6.4.3, App for stream : 6.6.1)
When I started UF, stream:stats event received successfully, but after few days it cannot received suddenly.
Only this event will not be collected and the other event(captured packet event) will be received normally.
So, when I restart UF, everything is Okay.
streamfwd.log have not any information for stop the stream:stats event.

Would you tell me about the transfer process for stream:stats event?

Tags (1)

Engager

Hi @golsida did you ever solve this? I am running into this same issue currently.

0 Karma

Splunk Employee
Splunk Employee

Hi @golsida,

Unlike the regular stream events, stream:stats events get sent to the _internal log. Do you have other events from the _internal log on your UF being forwarded consistently?

0 Karma

Engager

Hi @golsida did you ever solve this? I am running into this same issue currently.

0 Karma

Explorer

Hi vshcherbakov,

Yes, other events are forwarded consistently. (ex, splunkd.log, streamfwd.log)
When I restart UF splunk, it sends the events again.
But, after few days( 2~4 days) suddenly stop to send only stream:stats event.
In addition, our customer have 150 UF with stream app and 17~20 sites are forwarded normally.
Is the number of sites a problem?

0 Karma

Splunk Employee
Splunk Employee

Hmm.. that sounds strange. I'd suggest opening a support case so that we can review logs/diags/etc.

0 Karma