Facing the same high swap usage on SH here. Have you managed to bring down the beast ? ... View more

FYI - I ran into the same issue on one of my two heavy forwarders.   the issue why the  port 8000 was not accepting turned out to be an app that i had installed on the heavy forwarder. when i removed the app ( custom app )  the web port was accessible.    upon investigating the app i noticed it had index.conf and i suspect that could have caused the issue,  since that app was ment for indexer server, i deleted it from the Heavy forwarder and restarted splunk instance. the web GUI access then started working  ... View more

Get all the RAM that you can for your Search Heads, then for your Indexers. Max them out. The cost is low and the benefit is tremendous. Also, upgrade to 7.1.2 the day that it comes out. There are MAJOR memory leaks in all 7.* versions, but ESPECIALLY 7.1.* . ... View more

Hi, could you solve this problem? If you solved it, can you tell me how? ... View more

You may need to collect the following data in Splunk: *>dropped packets or connections *>any kind of network error You can get this information from SNMP polling/traps or sFlow counters or certain NetFlow/IPFIX records *>blockage by firewall or switch ACL syslogs or NetFlow data *>any other form of connection data NetFlow, sFlow, IPFIX We are a Splunk partner and we provide all this data (except syslog, which is natively ingested by Splunk) with our product - NetFlow Optimizer. Try it for free by visiting https://www.netflowlogic.com/download/ ... View more

Can you please show an example event? ... View more

Hi @perfecto25, Yes this is expected outcome. But if you login to your deployment server and go to setting ->monitoring console, there you can see overview of your cluster. ... View more

@perfecto25 - Glad you were able to find the solution to your question. Please don't forget to resolve your post by clicking "Accept" below your answer. Thanks! ... View more

Hello, I tried running, splunk btool inputs list --debug It shows correct syntax, /opt/splunkforwarder/etc/apps/jira-maestro/local/inputs.conf [monitor:///opt/jira-maestro/plugins/nessus/csv/report.csv] /opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunkforwarder/etc/apps/jira-maestro/local/inputs.conf disabled = false /opt/splunkforwarder/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunkforwarder/etc/apps/jira-maestro/local/inputs.conf index = nessus /opt/splunkforwarder/etc/apps/jira-maestro/local/inputs.conf sourcetype = csv Also tried copying the csv file to some other location ,for example /opt/test /opt/test/report.csv created a new input.conf, [default] index = nessus [monitor:///opt/test] whitelist = ^.*.csv sourcetype = csv disabled = false initCrcLength = 1048575 crcSalt = /opt/test Restarted forwarded, nothing gets sent to indexer, also tried modfying report.csv file to generate a change, using vim 04-07-2017 14:03:49.845 -0400 INFO WatchedFile - Will begin reading at offset=45491 for file='/opt/test/report.csv'. 04-07-2017 14:03:49.849 -0400 INFO WatchedFile - Resetting fd to re-extract header. 04-07-2017 13:53:06.534 -0400 WARN FileClassifierManager - The file '/opt/test/.report.csv.swp' is invalid. Reason: binary 04-07-2017 13:53:06.534 -0400 INFO TailReader - Ignoring file '/opt/test/.report.csv.swp' due to: binary 04-07-2017 13:53:10.667 -0400 WARN FileClassifierManager - The file '/opt/test/.report.csv.swp' is invalid. Reason: binary 04-07-2017 13:53:10.667 -0400 INFO TailReader - Ignoring file '/opt/test/.report.csv.swp' due to: binary 04-07-2017 13:53:13.984 -0400 INFO WatchedFile - Will begin reading at offset=45491 for file='/opt/test/report.csv'. 04-07-2017 13:53:13.984 -0400 INFO WatchedFile - Resetting fd to re-extract header. 04-07-2017 13:53:13.985 -0400 WARN TailReader - Insufficient permissions to read file='/opt/test/.report.csv.swp' (hint: No such file or directory , UID: 0, GID: 0). 04-07-2017 13:53:16.989 -0400 INFO WatchedFile - Resetting fd to re-extract header. also tried injecting a new column into csv to keep track of timestamp in format of "2017-04-07 11:38:53,008" Nothing is being sent to indexer. Indexer splunkd log doesnt show anything coming in for this report.csv All permissions are splunk user + 644 on the report.csv file ... View more

very odd, does the install of forwarder was smooth? does the forwarder version match the OS? do you have any inputs configured already on forwarder? ... View more

Did this ever work to resolve the issue. I am seeing the same error messages. Please advise.. ... View more

@johnmccash, This is an old question with an accepted answer. For better chances at a helpful response, please post a new question. ... View more