I have a server running Splunk Enterprise 7.2, and we've been having indexing issues the past week. I found the following error in the splunkd logs for max user watches.
0500 ERROR FilesystemChangeWatcher - Error using inotify to watch filesystem -- /proc/sys/fs/inotify/max_user_watches is probably too low. Falling back to using timeout-based polling.
Could this error be what is causing the indexing issues?
... View more