Splunk was working properly, we change its license to free, it worked without problem for a while, but suddenly we realized that it is unable to collect IPS logs during working hours(betweeen 09.30 AM-06.00 PM) on weekdays. It starts to get the logs after 06.30 PM. I'm sending you the lines in sdee_get.log file. As you can see Splunk is in a loop; it is attempting to re-connect IPS Sensor, succeeded and then get an exception. How can we solve this problem? Is it related with the type of license? Which parts(services,etc.) should we check when Splunk suddenly stops getting logs of IPS?
Thanks for your help.
Thu May 09 16:48:22 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t
Thu May 09 16:48:22 2013 - INFO - Successfully connected to: x.y.z.t
Thu May 09 16:48:22 2013 - INFO - host="x.y.z.t" SessionID="25e40597e46a7536228f70501d757a9b" SubscriptionID="sub-63431-8a2f85a2"
Thu May 09 16:48:37 2013 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 400: Bad Request
Thu May 09 16:48:37 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t
Thu May 09 16:48:37 2013 - INFO - Successfully connected to: x.y.z.t
Thu May 09 16:48:37 2013 - INFO - host="x.y.z.t" SessionID="8bdd038849dc1bae35276a396db6040c" SubscriptionID="sub-63442-7205ac01"
Thu May 09 16:48:52 2013 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 400: Bad Request
Thu May 09 16:48:52 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t
Thu May 09 16:48:52 2013 - INFO - Successfully connected to: x.y.z.t
(x.y.z.t is the symbolic IP of IPS Sensor)
... View more