From memory our issue turned out to be maxKBps default settings. By default forwarder throughput is limited (256k ?) and when the buffer's full TCP connections are left hanging. Give it a go and see if it helps: 'maxKBps' under 'thruput' in 'limits.conf' ... View more

I'm getting identical symptoms on universal forwarder 5.0.2 but the workaround doesn't seem to work and nothing suspicious can be found in log files (I even tried splunk start --debug). Any idea what I should be looking at? [splunktcp] _rcvbuf = 1572864 acceptFrom = * connection_host = ip host = da02.int index = default route = has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue [splunktcp://9997] _rcvbuf = 1572864 connection_host = none disabled = 0 host = da02.int index = default queueSize = 10MB ... View more