If your forwarders are struggling to send data in a timely manner and if it just started to happen around the times of below you can look into it further, i) New inputs added - Have you recently added new inputs that could have overloaded the indexers? If this is the case, try to disable them to see if it improves the situation and then look into it further why they caused this. Do you find many log messages from the category, DateParserVerbose or LineBreakingProcessor? If you find these log messages complaining about invalid timestamp or linebreaks then it is something to do with the input and props configurations causing Splunk to struggle to process the data. You will need to correct the config for the inputs first. http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition At any moment if you see the messages from these categories it means wrong configs make it hard for Splunk to process data appropriately. ii) New searches, check any expensive searches running around the time of the messages being put into splunkd.log. If you see this issue soon after adding new searches, either by new apps or by any splunk users, try to find any expensive searches from Monitoring Console. This could happen when theses searches block indexers from accessing disk in a timely manner. Or also you need to make sure the performance of disk subsystem, check IOPS to see if it meets the recommended performance; http://docs.splunk.com/Documentation/Splunk/6.0/Installation/Referencehardware iii) Slow in processing index data This is similar to what I mentioned above. You also need to check the indexer queue status to see where the queue blocking started from. - If it's from indexing queue it could be due to the load on disk - If it's from typing queue it could be due to some expensive regex issues - If it's from aggQueue then it could be due to time stamp recognition or line breaking issue for some inputs iv) Have you had this kind of situation for a long time? - Then it would have been caused by the mix of above.. Please check the above and if it still persists or you think you have failed to locate the cause please contact Splunk Support and provide the below; - Splunk Deployment architecture - Diags from your indexers - Time of incident so that I know where to look into in log files. ... View more

If you think it's not about the expired cert issue check the permissions of kvstore file as below - I had the same - Copy from ndoshi's comments below to have better visibility. To be precise, the file is /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key. Doing a chmod 400 splunk.key did the trick. ... View more

Thanks for the updates, it turned out to be the case. Apologies for the confusion. We are doing our best to forward-port the fix to the next available releases. I will post them here once set. ... View more

This has been documented in the link, https://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Triggeredalertaction Add an alert to the Triggered Alerts list 1. Use one of the following options depending on whether you are creating a new alert or editing an existing alert. * Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed. * Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert. 2. From the Add Actions menu, select Add to triggered alerts. 3. Select an alert Severity level. Severity levels are informational only. They are used to group alerts in the Triggered Alerts list. The default level is Medium. 4. Click Save. ... View more

Firstly you may need to find the reason for the below message and why it tries to disable the default index. Most common cases are bucket id conflict. Check the splunkd.log splunkd: /home/build/build-src/ember/src/pipeline/indexer/IndexerService.cpp:928: void IndexerService::disableIndexesAndReinitGlobalConfig(const const_iterator&, const const_iterator&): Assertion `0 && "Cannot disable the default index."' failed. ... View more

Are you seeing this issue with other versions? Recently the similar issue has been fixed. Release versions are 6.4.5+ and 6.5.2+ If you are still seeing the issue please contact Splunk Support with the steps repro. Thank you. ... View more

This has been a known issue but recently splunkjs memory leak issue's been resolved and the fix is included in 6.4.5+ and 6.5.2+. Please try and provide any feedback. ... View more