Stream:stats suddenly stop

golsida · ‎01-05-2017

Hi,

My customer use splunk UF with stream app. (Splunk 6.4.3, App for stream : 6.6.1)
When I started UF, stream:stats event received successfully, but after few days it cannot received suddenly.
Only this event will not be collected and the other event(captured packet event) will be received normally.
So, when I restart UF, everything is Okay.
streamfwd.log have not any information for stop the stream:stats event.

Would you tell me about the transfer process for stream:stats event?

dm1 · ‎08-12-2021

Did you end up fixing this issue ?

abroglesc · ‎10-30-2018

Hi @golsida did you ever solve this? I am running into this same issue currently.

vshcherbakov_sp · ‎01-07-2017

Hi @golsida,

Unlike the regular stream events, stream:stats events get sent to the _internal log. Do you have other events from the _internal log on your UF being forwarded consistently?

abroglesc · ‎10-30-2018

Hi @golsida did you ever solve this? I am running into this same issue currently.

golsida · ‎01-09-2017

Hi vshcherbakov,

Yes, other events are forwarded consistently. (ex, splunkd.log, streamfwd.log)
When I restart UF splunk, it sends the events again.
But, after few days( 2~4 days) suddenly stop to send only stream:stats event.
In addition, our customer have 150 UF with stream app and 17~20 sites are forwarded normally.
Is the number of sites a problem?

vshcherbakov_sp · ‎01-09-2017

Hmm.. that sounds strange. I'd suggest opening a support case so that we can review logs/diags/etc.

Stream:stats suddenly stop

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!