Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why has the Splunk forwarder on Windows 2008R2 created so many sessions that no new sessions can be created?

yutaka1005
Builder
‎04-06-2018 01:07 AM

In my environment, there are two components like below.
Splunk 6.2.7 on Linux.
Splunk 6.2.7 on Windows 2008R2

Yesterday, when I checked netstat on windows, Forwarder was creating about ten thousand sessions in status "TIME_WAIT", so couldn't create new sessions!

For now, it has been normal, because I've rebooted it.
But I am worried that it will happen again.

Why did it happen?
I checked splunkd.log, and I found so many connection failed messages while it was happening.(I don't have any idea why the connection failed.)
If the connection between Splunk and Splunk forwarder has been failing for a long time, is that why it this happened?

I really appreciate if somebody can tell me about it.

I checked the answer below, but I don't configure connection_host = dns, so I don't think that this cause applys to this phenomenon.
https://answers.splunk.com/answers/114447/splunk-to-splunk-communication-stuck-in-close-wait.html

0 Karma
Reply

splunker12er
Motivator
‎04-06-2018 02:29 AM

How is your indexing performance? Did you take a look at your indexer splunkd.log ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...