https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259539#M49822 <P><A href="https://answers.splunk.com/answers/146813/why-cpu-spikes-and-stays-at-100-installing-universal-forwarder-on-server-2012-r2.html">Why CPU spikes and stays at 100% installing universal forwarder on server 2012 R2?</A></P> <P>A good one at - <A href="https://answers.splunk.com/answers/5400/high-cpu-usage-on-splunk-forwarder.html">High cpu usage on splunk forwarder</A></P> <P>About <CODE>Checksum for seekptr didn't match, will re-read entire file='access.log'</CODE> - <BR /> <A href="https://answers.splunk.com/answers/102356/explanation-of-checksum-for-seekptr-didnt-match-will-re-read-entire-file.html">Explanation of Checksum for seekptr didn't match, will re-read entire file</A></P> Wed, 13 Jul 2016 21:25:23 GMT ddrillic 2016-07-13T21:25:23Z https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259537#M49820 <P>Hi, </P> <P>I've set up a Unix universal forwarder to monitor text-based files on a system.<BR /> I always thought forwarders have a small footprint, but my forwarder currently eats up 17% of the CPU of the machine it's installed on.</P> <P>I checked everything and found something weird.<BR /> Splunkd_access.log writes approx. 2 MB of data every second. Splunkd_access.log rolls about every two minutes.<BR /> Splunk-Forwarder-Version: 6.4.1</P> <P>Splunkd_access.log shows the following constant output:</P> <PRE><CODE>-somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms -somedate- "POST /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json HTTP/1.1" 401 71 - - - 0ms </CODE></PRE> <P>While splunkd.log throws me this repeatedly:</P> <PRE><CODE>-somedate- INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/opt/splunkforwarder/var/log/splunk/splunkd_access.log'. -somedate- INFO WatchedFile - Will begin reading at offset=0 for file='/opt/splunkforwarder/var/log/splunk/splunkd_access.log'. </CODE></PRE> <HR /> <P>Anyone here who has seen this strange behavior before?<BR /> Thanks in advance!</P> <P>Best regards,<BR /> pyro_wood</P> Tue, 29 Sep 2020 10:13:44 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259537#M49820 horsefez 2020-09-29T10:13:44Z https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259538#M49821 <P>Very weird... I'd scrutinize for any shcluster related config<BR /> /opt/splunkforwarder/bin/splunk btool --debug server list | less<BR /> Search for any mention of shcluster</P> <P>Other than that you might have a bug on your hands. </P> <P>Do you have multiple systems expressing this behavior?</P> Wed, 13 Jul 2016 20:33:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259538#M49821 muebel 2016-07-13T20:33:34Z https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259539#M49822 <P><A href="https://answers.splunk.com/answers/146813/why-cpu-spikes-and-stays-at-100-installing-universal-forwarder-on-server-2012-r2.html">Why CPU spikes and stays at 100% installing universal forwarder on server 2012 R2?</A></P> <P>A good one at - <A href="https://answers.splunk.com/answers/5400/high-cpu-usage-on-splunk-forwarder.html">High cpu usage on splunk forwarder</A></P> <P>About <CODE>Checksum for seekptr didn't match, will re-read entire file='access.log'</CODE> - <BR /> <A href="https://answers.splunk.com/answers/102356/explanation-of-checksum-for-seekptr-didnt-match-will-re-read-entire-file.html">Explanation of Checksum for seekptr didn't match, will re-read entire file</A></P> Wed, 13 Jul 2016 21:25:23 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259539#M49822 ddrillic 2016-07-13T21:25:23Z https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259540#M49823 <P>The splunkd.log part is benign, just a sign of log rotation happening in splunkd_access.log.</P> <P>The access logs suggest someone is trying to make the forwarder vote in a search head cluster captain election.<BR /> That makes no sense whatsoever, make sure no SHC is configured with this machine as a member on top of what @muebel said.<BR /> The client IP listed in the access log should be a good clue as to where to look for misconfiguration first.</P> Wed, 13 Jul 2016 22:56:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259540#M49823 martin_mueller 2016-07-13T22:56:11Z https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259541#M49824 <P>Thank you muebel and martin_mueller for your suggestions.<BR /> Martin is indeed right with his assumption. This machine was previously configured as part of a search head cluster. But splunk had been deleted since.</P> <P>Anyway... I now ordered a complete wipe of the machine and a reset and then it should be all fine again.</P> <P>Thanks to you two for the quick responses <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 14 Jul 2016 16:55:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259541#M49824 horsefez 2016-07-14T16:55:00Z https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259542#M49825 <P>Thanks for nothing. Links don't help either. Better read the question first next time!</P> Thu, 14 Jul 2016 16:56:10 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259542#M49825 horsefez 2016-07-14T16:56:10Z https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259543#M49826 <P>Make sure no other cluster members remember this forwarder as a former member on top of cleaning up the forwarder itself.</P> Fri, 15 Jul 2016 04:00:16 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-splunkd-access-log-burst-events-on-our-Unix-universal/m-p/259543#M49826 martin_mueller 2016-07-15T04:00:16Z