On looking into the internal logs of the server on which forwarder is configured, I could observe that splunkd is shutting down for every 24 hours, and starting again. Below are the logs before the shut down,
09-06-2016 23:15:24.658 -0700 INFO ShutdownHandler - Shutting down splunkd
09-06-2016 23:15:24.253 -0700 INFO loader - Shutdown HTTPDispatchThread
09-06-2016 23:15:24.253 -0700 INFO loader - Shutdown HTTPDispatchThread
09-06-2016 23:15:23.987 -0700 INFO PipelineComponent - Performing early shutdown tasks
09-06-2016 23:15:23.987 -0700 INFO PipelineComponent - Performing early shutdown tasks
09-06-2016 23:14:57.092 -0700 INFO TcpOutputProc - Connected to idx=172.x.x.52:9997 using ACK.
09-06-2016 23:14:56.842 -0700 INFO StatusMgr - destHost=172.x.x.52, destIp=172.x.x.52, destPort=9997, eventType=connect_done, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
Below are the logs after a restart has been done,
09-06-2016 23:16:16.829 -0700 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\SplunkUniversalForwarder\etc\apps\fmi_all_Splunk_TA_windows_inputs_installed_apps\bin\win_installed_apps.bat], ignoring alternate expansion [script://C:\Program Files\SplunkUniversalForwarder\etc\apps\fmi_all_Splunk_TA_windows_inputs\bin\win_installed_apps.bat] in inputs.conf
09-06-2016 23:16:16.720 -0700 INFO loader - Automatic migration of modular inputs
09-06-2016 23:16:16.720 -0700 INFO loader - win-service: Splunk starting as a local administrator
09-06-2016 23:16:16.704 -0700 INFO loader - win-service: Starting as a Windows service: will run various system checks first...
**What could be the reason for Splunkd to stop..And it is happening on a daily basis..What could be the reason behind it??**
↧