Monitoring Splunk

Why did my Splunkforwarder stop with the error "WatchedFile - About to assert due to: destroying state while still cached..." in the splunkd.log?

joe7409
New Member

Splunkforwarder stops with the below error in the splunkd.log:

0500 ERROR WatchedFile - About to assert due to: destroying state while still cached: state=0x0x7f0e5991c780 wtf=0x0x7f0e5992f200 off=0 initcrc=0xeecf05
88f22411cc scrc=0x0 fallbackcrc=0x0 last_eof_time=1424150223 reschedule_target=0 is_cached=343536 fd_valid=true exists=true last_char_newline=true on_block_boundary=true only_no
tified_once=false was_replaced=true eof_seconds=3 unowned=false always_read=false was_too_new=false is_batch=true name="/var/log/mongo/rotated/mongod.log.2015-02-17.1424150222"
0 Karma

sgarvin55
Splunk Employee
Splunk Employee

This is a Known Issue, SPL-94913 and fixed in Splunk 6.2.2.

0 Karma

mookiie2005
Communicator

I downvoted this post because we are running splunk 6.4.0 and have the same issue.

0 Karma

JimDeich
Path Finder

I know this mean the file was in a transient state but I need a work-around for this also. It seem splunk should just drop the file and
go on.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...