Workaround for network accessibility issues on Splunk Windows systems under certain conditions
This page discusses how to work around an issue where network-intensive Splunk Enterprise operations on a Windows system can sometimes cause that system to become inaccessible from the network.
A Windows system that supports a Splunk Enterprise instance which performs network-intensive operations can become inaccessible from the network after a period of time. Problems usually begin within eight to twelve hours, but can start as late as 2-3 days depending on the amount of network activity that the instance sees. When this anomaly occurs, any attempts to connect to the system remotely fail, and you must restart the computer to return it to service.
You might see the following error in splunkd.log, or in the search.log file(s) created in the individual dispatch directory that each search (scheduled or real-time) generates:
01-16-2013 06:55:33.935 WARN NetUtils - Error connecting - winsock error 10055\n
This problem has multiple causes:
- By default, Windows configures a low number (5000) of available ephemeral, or short-lived, network (TCP) ports.
- When you perform network-intensive activities in Splunk Enterprise, Splunk generates a large number of short-lived network connections, which use these ports. Network-intensive activities include but are not limited to:
- Running a large number of concurrent real-time searches (usually from an app).
- Configuring a deployment client to connect to a deployment server which is on the same computer.
- Once the Windows system runs out of available ports, it returns
WSAENOBUFS(Windows Sockets error 10055) to any application that requests a port for network operations, and immediately becomes inaccessible from the network.
When this happens, the only way to fix the problem is to reboot the affected computer.
Note: While this problem most commonly occurs when you employ numerous concurrent real-time searches, any kind of search - and more importantly, any kind of network operation - can trigger the issue. The problem is not limited to Splunk, but Splunk can often cause the problem to appear.
This problem only appears on Windows systems.
To work around this issue, you can complete one or both of the following steps.
Caution: The steps below require that you make administrative changes to your Windows system. These advanced changes might render your system unstable or unusable. If you are not able to make these changes, or are either unsure or uncomfortable about what to do, then contact your internal IT support organization for assistance.
1. Modify the Registry to increase the number of available user ports. Follow the instructions at "When you try to connect from TCP ports greater than 5000 you receive the error 'WSAENOBUFS'" (http://support.microsoft.com/kb/196271/en-us) on the Microsoft Support site to modify the Registry and increase the number of ephemeral TCP ports.
Important: We suggest you complete this step first, then restart your system. If the problem persists, then perform the next step.
2. Install a downloadable hotfix from Microsoft. If your system is a multiple-CPU system that runs either Windows Server 2008 R2 or Windows 7, then you can download and install a hotfix which addresses this specific issue. For information and instructions on how to download and apply the hotfix, see "Kernel sockets leak on a multiprocessor computer that is running Windows Server 2008 R2 or Windows 7" (http://support.microsoft.com/kb/2577795) on the Microsoft Support site.
Important: This option is available only for systems with multiple CPUs that run Windows Server 2008 R2 or Windows 7.
You must restart your computer after performing either of these actions.
Splunk Enterprise and anti-virus products
Workaround for Windows universal forwarder enabling inputs unexpectedly on installation or upgrade
This documentation applies to the following versions of Splunk® Enterprise: 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.6.0