Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SUF: "Could not read CowPipelineData from the persistent store"

twinspop
Influencer
‎10-22-2012 07:21 AM

One of my forwarders is blasting the subject message into my internal index at an alarming rate. What's it mean? What's the fix? This particular forwarder has exactly the same configs as 300 others, all of which are not throwing the error.

32-bit Windows 4.3.4.

Tags (1)
0 Karma
Reply

ahattrell_splun
Splunk Employee
Splunk Employee
‎11-13-2012 03:42 AM

The most likely reason you are seeing this error is a corruption in the wmi checkpoint file.

Please check the following:
1. Check the wmi_checkpoint file in %SPLUNK_DB\persistentstorage directory if one exists. if it does not exist, please make sure that Splunk administrator account has read and write to this directory.
2. check the modified date stamp on that file. If it exists and the timestamp is old, try deleting it and restarting it.
3. make sure that you don't have virus scan monitoring Splunk directory.

If you have enterprise support then you may want to log a ticket for this issue. If not and the above does not help, some customers have resolved this by re-installing the forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...