I have a Windows host (192.168.2.2) which has a universal forwarder installed and is setup to talk to my single instance Splunk.
I have added the windows app with only 2 perfmon counters being monitored.
The Windows host run hyper-V which runs the Splunk instance.
As you can see below I have normal connections from other hosts, but for some reason the Windows host has established multiple tcp connections to Splunk. The list of connections keep growing, so I have to stop Splunkd service on the windows host.
netstat -aon | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.2:54228 ESTABLISHED keepalive (6993.74/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.2:54234 ESTABLISHED keepalive (7073.10/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.2:54241 ESTABLISHED keepalive (7132.44/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.2:54216 ESTABLISHED keepalive (6921.62/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.2:54217 ESTABLISHED keepalive (6940.68/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.4:34608 ESTABLISHED keepalive (4530.40/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.102:52379 ESTABLISHED keepalive (4516.28/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.2:54229 ESTABLISHED keepalive (7015.83/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.1:53925 ESTABLISHED keepalive (4518.96/0/0)
tcp 0 0 192.168.2.3:9997 192.168.2.2:54251 ESTABLISHED keepalive (7191.76/0/0)
I have tried restarting Splunkforwarder service, uninstalling and reinstalling Splunk forwarder.
The connections finish but once I start or reinstall the forwarder, the TCP connections start again.
There is nothing special in my etc/system/local/outputs.conf
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = serlin001:9997
[tcpout-server://serlin001:9997]
Splunk Free Trial 6.5.2
Splunk Universal Forwarder 6.5.2
... View more