One of my forwarders is blasting the subject message into my internal index at an alarming rate. What's it mean? What's the fix? This particular forwarder has exactly the same configs as 300 others, all of which are not throwing the error.
The most likely reason you are seeing this error is a corruption in the wmi checkpoint file.
Please check the following:
1. Check the wmicheckpoint file in %SPLUNKDB\persistentstorage directory if one exists. if it does not exist, please make sure that Splunk administrator account has read and write to this directory.
2. check the modified date stamp on that file. If it exists and the timestamp is old, try deleting it and restarting it.
3. make sure that you don't have virus scan monitoring Splunk directory.
If you have enterprise support then you may want to log a ticket for this issue. If not and the above does not help, some customers have resolved this by re-installing the forwarder.