https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422924#M15075 <P>We have this issue very frequently which appeared to have started right after the last upgrade.<BR /> Below kernel logs shows the frequency, Splunk process on the indexer appears running without restart so it appears to be from search processes. </P> <HR /> <P>*Linux splunkindexer1 2.6.32-754.9.1.el6.x86_64 #1 SMP Wed Dec 21 10:08:21 PST 2018 x86_64 x86_64 x86_64 GNU/Linux<BR /> -bash-4.1$ cat /var/log/messages | grep -i kernel| tail<BR /> Jul 31 08:16:24 splunkindexer1 kernel: splunkd[3149]: segfault at 7ff425810057 ip 000055ad21554260 sp 00007ff4047f8068 error 4 in splunkd[55ad1f3d2000+2e2b000]<BR /> Jul 31 08:19:34 splunkindexer1 kernel: splunkd[7907]: segfault at 7ff42540e057 ip 000055ad21554260 sp 00007ff4043f6068 error 4 in splunkd[55ad1f3d2000+2e2b000]<BR /> Jul 31 08:20:30 splunkindexer1 kernel: splunkd[22411]: segfault at 7ff42560f057 ip 000055ad21554260 sp 00007ff4045f7068 error 4 in splunkd[55ad1f3d2000+2e2b000]<BR /> Jul 31 08:21:07 splunkindexer1 kernel: splunkd[30162]: segfault at 7ff42580f057 ip 000055ad21554260 sp 00007ff4047f7068 error 4 in splunkd[55ad1f3d2000+2e2b000]</P> <H2>Jul 31 08:51:34 splunkindexer1 kernel: splunkd[4092]: segfault at 7ff4224104f7 ip 000055ad21554260 sp 00007ff4013f8508 error 4 in splunkd[55ad1f3d2000+2e2b000]* </H2> <P>This is from one of the crash logs.</P> <HR /> <P>Received fatal signal 11 (Segmentation fault).<BR /> Cause:<BR /> No memory mapped at address [0x00000261CB7ECF].<BR /> Crashing thread: BatchSearch<BR /> "SNIP"</P> <P>Backtrace (PIC build):<BR /> [0x000056345C300260] st_decode_from_vbe + 0 (splunkd + 0x2182260)<BR /> [0x000056345C2EC4DA] ? (splunkd + 0x216E4DA)<BR /> [0x000056345C2EC7EF] _seek + 143 (splunkd + 0x216E7EF)<BR /> [0x000056345C2EF4A9] and_literals + 713 (splunkd + 0x21714A9)<BR /> [0x000056345C2F3316] ? (splunkd + 0x2175316)<BR /> "SNIP" </P> <P>Last errno: 2<BR /> Threads running: 11<BR /> Runtime: 52652.730678s<BR /> argv: [splunkd -p 8089 restart splunkd]<BR /> Process renamed: [splunkd pid=3960] splunkd -p 8089 restart splunkd [process-runner]</P> <H2>Process renamed: [splunkd pid=3960] search --id=remote_sh1_scheduler_<EM>d5331</EM><EM>search</EM>_RMD561462962f68d150_at_1562933700_3076_AAAAAAAA-1111-2222-AAAA-ADAAA6256C5C --maxbuckets=0 --ttl=60 --maxout=0 --maxtime=0 --lookups=1 --streaming --sidtype=normal --outCsv=true --acceptSrsLevel=1 --user=d5331 --pro --roles=power:user</H2> Wed, 30 Sep 2020 01:33:50 GMT sylim_splunk 2020-09-30T01:33:50Z https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422924#M15075 <P>We have this issue very frequently which appeared to have started right after the last upgrade.<BR /> Below kernel logs shows the frequency, Splunk process on the indexer appears running without restart so it appears to be from search processes. </P> <HR /> <P>*Linux splunkindexer1 2.6.32-754.9.1.el6.x86_64 #1 SMP Wed Dec 21 10:08:21 PST 2018 x86_64 x86_64 x86_64 GNU/Linux<BR /> -bash-4.1$ cat /var/log/messages | grep -i kernel| tail<BR /> Jul 31 08:16:24 splunkindexer1 kernel: splunkd[3149]: segfault at 7ff425810057 ip 000055ad21554260 sp 00007ff4047f8068 error 4 in splunkd[55ad1f3d2000+2e2b000]<BR /> Jul 31 08:19:34 splunkindexer1 kernel: splunkd[7907]: segfault at 7ff42540e057 ip 000055ad21554260 sp 00007ff4043f6068 error 4 in splunkd[55ad1f3d2000+2e2b000]<BR /> Jul 31 08:20:30 splunkindexer1 kernel: splunkd[22411]: segfault at 7ff42560f057 ip 000055ad21554260 sp 00007ff4045f7068 error 4 in splunkd[55ad1f3d2000+2e2b000]<BR /> Jul 31 08:21:07 splunkindexer1 kernel: splunkd[30162]: segfault at 7ff42580f057 ip 000055ad21554260 sp 00007ff4047f7068 error 4 in splunkd[55ad1f3d2000+2e2b000]</P> <H2>Jul 31 08:51:34 splunkindexer1 kernel: splunkd[4092]: segfault at 7ff4224104f7 ip 000055ad21554260 sp 00007ff4013f8508 error 4 in splunkd[55ad1f3d2000+2e2b000]* </H2> <P>This is from one of the crash logs.</P> <HR /> <P>Received fatal signal 11 (Segmentation fault).<BR /> Cause:<BR /> No memory mapped at address [0x00000261CB7ECF].<BR /> Crashing thread: BatchSearch<BR /> "SNIP"</P> <P>Backtrace (PIC build):<BR /> [0x000056345C300260] st_decode_from_vbe + 0 (splunkd + 0x2182260)<BR /> [0x000056345C2EC4DA] ? (splunkd + 0x216E4DA)<BR /> [0x000056345C2EC7EF] _seek + 143 (splunkd + 0x216E7EF)<BR /> [0x000056345C2EF4A9] and_literals + 713 (splunkd + 0x21714A9)<BR /> [0x000056345C2F3316] ? (splunkd + 0x2175316)<BR /> "SNIP" </P> <P>Last errno: 2<BR /> Threads running: 11<BR /> Runtime: 52652.730678s<BR /> argv: [splunkd -p 8089 restart splunkd]<BR /> Process renamed: [splunkd pid=3960] splunkd -p 8089 restart splunkd [process-runner]</P> <H2>Process renamed: [splunkd pid=3960] search --id=remote_sh1_scheduler_<EM>d5331</EM><EM>search</EM>_RMD561462962f68d150_at_1562933700_3076_AAAAAAAA-1111-2222-AAAA-ADAAA6256C5C --maxbuckets=0 --ttl=60 --maxout=0 --maxtime=0 --lookups=1 --streaming --sidtype=normal --outCsv=true --acceptSrsLevel=1 --user=d5331 --pro --roles=power:user</H2> Wed, 30 Sep 2020 01:33:50 GMT https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422924#M15075 sylim_splunk 2020-09-30T01:33:50Z https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422925#M15076 <P>This could have been caused by some corrupted buckets when searches run against them.<BR /> You may want to fix the buckets and try the same search to see if it fixes it.<BR /> Follow the steps below to get list of buckets suspected corrupted.</P> <P>*** How to get the list of corrupt buckets ***<BR /> 1. @the indexer, cd to $SPLUNK_HOME/var/log/splunk<BR /> 2. Run below<BR /> $ grep "MAP:" crash-2019-07-31*.log |grep "/opt/splunk/storage"<BR /> "/opt/splunk/storage" varies according to your deployment set up and is taken from the line below in crash log.<BR /> <EM>crash-2019-07-31-00:15:17.log: <BR /> MAP: 7f00e9cdb000-7f00ea000000 r--s 00000000 fd:03 563872524 /opt/splunk/storage/hot/myindex1/rb_1560184689_1559942722_7530_AAAAAAAA-BBBB-1111-8C82-ABAD1EDD033D/1560184689-1560184620-11473276039248555956.tsidx</EM><BR /> 3. It will return the problematic buckets. From the above example, the bucket location is <EM>/opt/splunk/storage/hot/myindex1/rb_1560184689_1559942722_7530_AAAAAAAA-BBBB-1111-8C82-ABAD1EDD033D</EM></P> <P>*** How to fix the corrupted buckets ***<BR /> Rebuilding the bucket using fsck should fix the problem. Follow the steps to rebuild buckets:<BR /> 0. @CM, splunk enable maintenance-mode<BR /> 1. @Anonymous, splunk offline<BR /> 2. @Anonymous, for all the buckets from above, run splunk fsck repair --one-bucket --bucket-path="path_from_above"<BR /> i.e:<BR /> <EM>splunk fsck repair --one-bucket --bucket-path=/opt/splunk/storage/hot/myindex1/rb_1560184689_1559942722_7530_AAAAAAAA-BBBB-1111-8C82-ABAD1EDD033D</EM><BR /> 3. @Anonymous, splunk start<BR /> 4. @CM, splunk disable maintenance-mode</P> <P>If this is not helping improve the situation please contact Splunk Support with details of deployment architecture and a drag from the indexer.</P> Wed, 30 Sep 2020 01:33:53 GMT https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422925#M15076 sylim_splunk 2020-09-30T01:33:53Z https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422926#M15077 <P>That error means that a process (splunkd) has attempted to access memory that is not assigned to it. I believe this is/was a known bug in Splunk 7.1.x and below.</P> Wed, 31 Jul 2019 17:23:17 GMT https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422926#M15077 codebuilder 2019-07-31T17:23:17Z https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422927#M15078 <P>Known issue (SPL-153976) and fixed as part of 7.1.3</P> Wed, 31 Jul 2019 17:26:41 GMT https://community.splunk.com/t5/Deployment-Architecture/Segfault-errors-on-a-indexer-in-cluster/m-p/422927#M15078 codebuilder 2019-07-31T17:26:41Z