Hi Team,
We are facing an issue in Critical Production server, we are not able to monitor the server.
Data not forwarding from to the indexer.
I believe it's this (limits.conf)
[inputproc]
file_tracking_db_threshold_mb = <integer>
* This setting controls the trigger point at which the file tracking db (also
commonly known as the "fishbucket" or btree) rolls over. A new database is
created in its place. Writes are targeted at new db. Reads are first
targeted at new db, and we fall back to old db for read failures. Any reads
served from old db successfully will be written back into new db.
* MIGRATION NOTE: if this setting doesn't exist, the initialization code in
splunkd triggers an automatic migration step that reads in the current value
for "maxDataSize" under the "_thefishbucket" stanza in indexes.conf and
writes this value into etc/system/local/limits.conf.
What's the account under which Splunk is running? Do you see access denied type of errors as well ?