Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarder stop accepting connections

jgauthier
Contributor
‎08-10-2011 06:43 AM

This morning I opened a dashboard and was greeted with "results not found."
I thought this was peculiar, so I started doing some digging and found that the server I was forwarding from had this in its log file:
08-10-2011 09:10:49.476 -0400 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
08-10-2011 09:10:53.799 -0400 INFO BatchReader - Could not send data to output queue (parsingQueue), retrying...

So, I began poking around, and could not figure out what was happening.
Finally, I started to think it was the receiver on the indexer, so I tried to hit the listening port:

jgauthier$ telnet 192.168.74.45 9997
Trying 192.168.74.45...

Nothing. I tried from another system.. nothing. Not a "Connection refused", just totally not accepting. I restarted splunkd, and everything started working.

I could not find any log files on the splunk indexer to help, because it started a few days ago and has since been scrolled from the log.

Any suggestions?

Tags (1)
Reply

Lex
New Member
‎08-10-2011 07:06 AM

I had a similar problem where the issue was that the Splunk server was running into its 1024 open file limit. I edited the /etc/security/limits.conf to allow for a 2048 softlimit and 4096 hardlimit on "nofile" and restarted. Check with ulimit -a if the new setting has indeed taken effect.

Obviously, this only applies if your receiving Splunk server is a Linux server.

0 Karma
Reply

jgauthier
Contributor
‎08-10-2011 09:25 AM

Yup. My splunk server is Windows. (latest version of both)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...