Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Indexer stops receiving data from forwarders

jhupka
Path Finder
‎03-18-2016 11:51 AM

This is less of a question and more of a record on Splunk Answers of an issue we ran into.

Symptoms:
You are on Red Hat 6.6, 7.0, or 7.1

The Indexer stops receiving data from Forwarders, but looks to be up and running fine otherwise. In a sense it seems stuck for our TCP input port on splunkd. For example, the Indexer still participates as a peer for any searches, and the Indexer also looks to continue indexing any data generated locally - internal Splunk logs or scripted inputs running on that Indexer. Essentially the TCP input port is bad, but the splunkd admin port is fine.

When running the following search, any Indexers having this problem would show up has having 1 or 0 Distinct Hosts since they weren't able to receive anything from Forwarders:

index=_internal sourcetype=splunkd earliest=-15m | stats count as event_count, dc(host) as distinct_hosts by splunk_server

Also, we would notice a lot of TCP connections sitting in a CLOSE_WAIT or SYN_RECV state when running netstat -an on the Indexer.

Workaround:

Use pstack to dump a list of processes associated with splunkd. This will magically fix things without having to restart the Indexer:

pstack `head -1 $SPLUNK_HOME/var/run/splunk/splunkd.pid`

Solution:

There is a bug in Red Hat that causes things to go awry:

https://access.redhat.com/solutions/1386323

In our case, the solution was to patch from kernel 2.6.32-504.8.1 to 2.6.32-504.16.2

Environment Details:
- Splunk: 6.2.5 (build 272645)
- OS: Red Hat Linux 2.6.32-504.8.1.el6.x86_64 #1 SMP Fri Dec 19 12:09:25 EST 2014 x86_64 x86_64 x86_64 GNU/Linux
- HW: Cisco UCS C240

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎03-18-2016 12:35 PM

Solution:

There is a bug in Red Hat that causes things to go awry:

https://access.redhat.com/solutions/1386323

In our case, the solution was to patch from kernel 2.6.32-504.8.1 to 2.6.32-504.16.2

View solution in original post

Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎03-18-2016 12:35 PM

Solution:

There is a bug in Red Hat that causes things to go awry:

https://access.redhat.com/solutions/1386323

In our case, the solution was to patch from kernel 2.6.32-504.8.1 to 2.6.32-504.16.2

Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-18-2016 12:13 PM

nice work!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...