The WSS Splunk Transfer Agent (TA) is not receiving any data from the WSS SyncAPI.
The $SPLUNK_HOME/etc/var/log/scwss/scwss-poll.log shows a continuous error "Received corrupted archive from WSS, will retry on the next invocation"
2022-03-13 14:10:46,070 INFO 140160265734080 - SWSS: Starting data collection...
2022-03-13 14:10:46,355 ERROR 140160265734080 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:15:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:15:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:20:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:20:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:25:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:25:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:30:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:30:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
The sync.token is most likely corrupted and needs to be reset.
Follow the process shown below to reset WSS SyncAPI Token on Splunk:
The process below will send a new API call to the SyncAPI with a new date/time and no token, therefore, the SyncAPI will generate a new token.
Find "sync.token" file
on Linux server:
find / -iname "sync.token"
Note: There will be some access logs overlapping or duplicates since it is required by WSS SynAPI to go back to the beginning of the hour.