Hi,
I'm fed up with this issue, one of my heavy forwarders stops sending events to the indexers, and after restart, it sends logs to the indexers again, but some time later, the same issue occurs.
I'm getting these kind of errors in the splunkd.log when it stops sending logs to the indexers.
Ex:
04-13-2017 15:29:01.295 -0500 WARN TcpOutputProc - Possible duplication of events with channel=source::cloudfoundry_sys|host::10.32.120.185|syslog|remoteport::51489, streamId=14010656165184201000, offset=2718 subOffset=1 on host=10.30.71.151:9997
04-13-2017 15:29:01.295 -0500 WARN TcpOutputProc - Possible duplication of events with channel=source::cloudfoundry_sys|host::10.32.120.162|syslog|remoteport::51487, streamId=6389163824992962214, offset=3263 subOffset=1 on host=10.30.71.151:9997
04-13-2017 15:29:01.295 -0500 WARN TcpOutputProc - Possible duplication of events with channel=source::cloudfoundry_sys|host::10.32.122.125|syslog|remoteport::51487, streamId=6389163824992962214, offset=3265 subOffset=3 on host=10.30.71.151:9997
04-13-2017 15:29:01.295 -0500 WARN TcpOutputProc - Possible duplication of events with channel=source::cloudfoundry_sys|host::10.32.121.54|syslog|remoteport::51490, streamId=1903603338508299248, offset=2895 subOffset=1 on host=10.30.71.151:9997
04-13-2017 15:29:01.295 -0500 WARN TcpOutputProc - Possible duplication of events with channel=source::tcp:15000|host::10.32.123.151|log4j|remoteport::49826, streamId=922401461405077376, offset=5793 subOffset=1 on host=10.30.71.151:9997
Please do post the answers.
↧