Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why has the Splunk forwarder on Windows 2008R2 created so many sessions that no new sessions can be created?

yutaka1005
Builder
‎04-06-2018 01:07 AM

In my environment, there are two components like below.
Splunk 6.2.7 on Linux.
Splunk 6.2.7 on Windows 2008R2

Yesterday, when I checked netstat on windows, Forwarder was creating about ten thousand sessions in status "TIME_WAIT", so couldn't create new sessions!

For now, it has been normal, because I've rebooted it.
But I am worried that it will happen again.

Why did it happen?
I checked splunkd.log, and I found so many connection failed messages while it was happening.(I don't have any idea why the connection failed.)
If the connection between Splunk and Splunk forwarder has been failing for a long time, is that why it this happened?

I really appreciate if somebody can tell me about it.

I checked the answer below, but I don't configure connection_host = dns, so I don't think that this cause applys to this phenomenon.
https://answers.splunk.com/answers/114447/splunk-to-splunk-communication-stuck-in-close-wait.html

0 Karma
Reply

splunker12er
Motivator
‎04-06-2018 02:29 AM

How is your indexing performance? Did you take a look at your indexer splunkd.log ?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...