Hello,

Right, that looks strange, some questions:

• Is this is happening on multiple boxes ?
• Which Linux distribution and version ?
• Is this happening continuously or sporadically ?

Can you try on a box where this is happening:

pkill nmon && rm -rf /opt/splunk/var/log/nmon

And wait a few minutes, a new Nmon process would be restarted and processing achieved, check logs

A good test would be to run a manual instance, locale the nmon binary being run by the TA, example:

root     18382     1  0 19:54 ?        00:00:00 /opt/splunkforwarder/var/log/nmon/bin/linux/ubuntu/nmon_x86_64_ubuntu1404 -F /opt/splunkforwarder/var/log/nmon/var/nmon_repository/fifo1/nmon.fifo -T -s 60 -c 1440 -d 1500 -g auto -D -p

From a directory of your choice, run the binary with the "-f" switch, such as:

 /opt/splunkforwarder/var/log/nmon/bin/linux/ubuntu/nmon_x86_64_ubuntu1404 -f -T -s 60 -c 1440 -d 1500 -g auto -D -p

This will start in the current directory an *.nmon file, this would be interesting to check its structure, what the processing refuses is the apparently a truncated line containing the Nmon timestamp "ZZZZ" but not starting by it:

grep ZZZZ <nmon_file.nmon>

If you find a ZZZZ line which does not start the line, this would be the root cause of the issue, a more adapted binary version for your particular OS could be required.

Optionally, on your testing box, if you install Python 2.7.x minimal, the processing will switch automatically to Python, which might not be affected, although Perl shouldn't be neither unless there is an unexpected issue with the binary running on this particular host.

Let me know.

Guilhem