Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why are our Splunk Forwarders each logging "ERROR DiskMon - None such on disk: /opt/splunkforwarder/var/run/splunk/dispatch" 144 times a day?

starks951
Explorer
‎07-28-2015 06:21 PM

We are seeing these errors in the forwarders splunkd.log from every Splunk forwarder we have 144 times per 24hr period (every ten mins) per server. All servers are running Splunk Light Forwarder 6.2.1, 6.2.2, and 6.2.3 across the enterprise.

on Linux hosts it looks like this

07-28-2015 19:48:35.831 -0500 ERROR DiskMon - None such on disk: /opt/splunkforwarder/var/run/splunk/dispatch

and on windows like this

07-28-2015 19:48:34.228 -0500 ERROR DiskMon - None such on disk: F:\Program Files\SplunkUniversalForwarder\var\run\splunk\dispatch

The only thing I can think of is that something is trying to run splunkd clean-dispatch and the system can't find the dir, but I can't find anything in our deployment server that would be configured to run this. I have seen these errors in a few other logs posted here, but the issues seem to be about a server trying to bind to a port already in use on Win7 (not our issue here).

Anyone have ANY idea why this might be happening?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ellen
Splunk Employee
Splunk Employee
‎11-12-2015 04:13 PM

What you are seeing in 6.2 - 6.2.6 is a known issue, SPL-109387 where both UF and LWF will log this benign error every 10 minutes.

ERROR DiskMon - None such on disk: .../splunkforwarder/var/run/splunk/dispatch

This is related when the app .../splunkforwarder/etc/apps/introspection_generator_addon has been enabled and information relating to disk object partitions is attempted to be retrieved.

Below are 3 different workarounds:

Option 1:
Edit ../splunkforwarder/etc/system/local/server.conf and add the following entry:

[introspection:generator:disk_objects__partitions]
disabled = true

Option 2:
In ../splunkforwarder/etc/log.cfg (requires restart),
Increase the logging level of category.DiskMon=INFO to 

category.DiskMon=CRIT

Option 3:
3) create on that UF/LWF an empty directory called... /splunkforwarder/var/run/splunk/dispatch

View solution in original post

Reply
Solved! Jump to solution
Solution

Ellen
Splunk Employee
Splunk Employee
‎11-12-2015 04:13 PM

What you are seeing in 6.2 - 6.2.6 is a known issue, SPL-109387 where both UF and LWF will log this benign error every 10 minutes.

ERROR DiskMon - None such on disk: .../splunkforwarder/var/run/splunk/dispatch

This is related when the app .../splunkforwarder/etc/apps/introspection_generator_addon has been enabled and information relating to disk object partitions is attempted to be retrieved.

Below are 3 different workarounds:

Option 1:
Edit ../splunkforwarder/etc/system/local/server.conf and add the following entry:

[introspection:generator:disk_objects__partitions]
disabled = true

Option 2:
In ../splunkforwarder/etc/log.cfg (requires restart),
Increase the logging level of category.DiskMon=INFO to 

category.DiskMon=CRIT

Option 3:
3) create on that UF/LWF an empty directory called... /splunkforwarder/var/run/splunk/dispatch

Reply
Solved! Jump to solution

USPSSplunkSuppo
Explorer
‎08-13-2015 10:11 AM

I suspect the introspection app cannot differentiate between forwarder and other Splunk device types such as Indexers, Search Heads, etc.

My workaround was to: mkdir $SPLUNK_HOME/var/run/splunk/dispatch

But then I only currently have a small number of forwarders.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...