Why did my Splunkforwarder stop with the error "Wa...

joe7409 · ‎02-24-2015

Splunkforwarder stops with the below error in the splunkd.log:

0500 ERROR WatchedFile - About to assert due to: destroying state while still cached: state=0x0x7f0e5991c780 wtf=0x0x7f0e5992f200 off=0 initcrc=0xeecf05
88f22411cc scrc=0x0 fallbackcrc=0x0 last_eof_time=1424150223 reschedule_target=0 is_cached=343536 fd_valid=true exists=true last_char_newline=true on_block_boundary=true only_no
tified_once=false was_replaced=true eof_seconds=3 unowned=false always_read=false was_too_new=false is_batch=true name="/var/log/mongo/rotated/mongod.log.2015-02-17.1424150222"

sgarvin55 · ‎06-26-2015

This is a Known Issue, SPL-94913 and fixed in Splunk 6.2.2.

mookiie2005 · ‎05-24-2017

I downvoted this post because we are running splunk 6.4.0 and have the same issue.

JimDeich · ‎04-11-2015

I know this mean the file was in a transient state but I need a work-around for this also. It seem splunk should just drop the file and
go on.

Why did my Splunkforwarder stop with the error "WatchedFile - About to assert due to: destroying state while still cached..." in the splunkd.log?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Application management with Targeted Application Install for Victoria Experience

Join the Conversation

Why did my Splunkforwarder stop with the error "WatchedFile - About to assert due to: destroying state while still cached..." in the splunkd.log?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Application management with Targeted Application Install for Victoria Experience