From what you’ve described, the “Socket error … broken pipe” on /services/streams/search is typically not the actual root failure but a downstream symptom of Splunk search connections being cut unexpectedly between the Search Head and indexers. In most cases, this happens when the indexer side closes the streaming connection because the underlying search process has stalled, been terminated, or hit a temporary resource constraint, even if overall system metrics like IOPS or CPU look normal on averages.

The fact that you are also seeing preforked search processes hanging and captain disconnect messages strongly suggests intermittent search pipeline saturation or scheduling delays rather than a simple networking or thread configuration issue. Increasing values like maxSockets or maxThreads in server.conf may reduce visible errors temporarily, but it often just pushes more load into an already constrained search layer instead of solving the underlying bottleneck.

In environments like this, the real issue is usually found in short bursts of CPU pressure, dispatch directory latency, search concurrency limits in limits.conf, or file descriptor exhaustion at the OS level. This is similar to diagnosing unstable flow in real systems where the average looks fine but momentary pressure drops cause failures, much like how services such as Plumber Singapore would investigate intermittent pipe blockages rather than just increasing pump capacity.

A good next step is to correlate timestamps between indexer search process logs and SH streaming errors to identify whether searches are being killed, delayed, or timing out under load.