We have a heavy forwarder running 6.4.1 that has been crashing on some random event being sent via syslog. Well, I should say, the syslog listener just stops processing the inputs. Other events on other listeners continue to flow. Restarting the splunk service results in the files in ...var\lib\splunk\persistentstorage to get corrupted. The two files must be deleted and then splunkd fires right up.
This event is very random. I can happen once a week or 2 or 3 times a day. It's quite annoying.
Ideas?
↧