Getting Data In

Why am I getting "memPartAlloc: block too big" sending my SIP phone syslog to universal forwarders?

rene847
Path Finder

Hi all,

This morning, after some verification, I found some errors in my search headwith my SIP phones.
I have 150 polycom phone. They send their syslog to Universal Forwarders. Config file is:

[udp://172.16.72.70:514]
        source = sip_syslog
        sourcetype = polycom:siplab
        connection_host = none
        acceptFrom = 172.16.72.70
        disabled = false
        index = ti-telephone

I think it is correc,t but I found lots of errors like:

Sep  1 14:47:13 172.16.86.70 Sep  1 10:47:21 172.16.86.70 0901104721|sys  |*|03|0x9581bea0 (tPktProSys): memPartAlloc: block too big - 21848 in partition 0x94b6feec.
date_hour = 14 date_mday = 1 date_minute = 47 date_month = september date_second = 13 date_wday = tuesday date_year = 2015 date_zone = local host = UniversalFowarders index = ti-telephone linecount = 1 punct = ___::_...____::_..._|__|*||_():_:____-____. source = sip_syslog sourcetype = polycom:sip splunk_server = IndexServer splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default

All other equipment (257) is working fine except the new phones recently added.
Do you have an idea of this error?

Thank you a lot
Best regards
Rene R.

0 Karma
1 Solution

rene847
Path Finder

Finally, it's the phones problem. The master configuration was wrong.

View solution in original post

0 Karma

rene847
Path Finder

Finally, it's the phones problem. The master configuration was wrong.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...