<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Splunk not working across Vagrant Synced folder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-working-across-Vagrant-Synced-folder/m-p/381803#M68855</link>
    <description>&lt;P&gt;I have an interesting problem--I'm on a Mac, and due to an &lt;A href="https://github.com/docker/for-mac/issues/3674"&gt;entirely different issue&lt;/A&gt;, I can't reliably run Splunk in OS/X Docker implementation.  &lt;/P&gt;

&lt;P&gt;No problem--I went and spun up a Vagrant instance running CentOS and decided to run Docker there, and run Splunk in Docker.  Seems easy enough, but I ran into any interesting problem: data was being ingested (and showed up in real-time searches), but not syncing to disk.  Further investigation revealed that when writing to the internal filesystem in the Vagrant container, the issue did not repeat, but if I tried writing over a directory that is synced to the host filesystem, the problem would show up.&lt;/P&gt;

&lt;P&gt;Specifically, there are two things I'm seeing.  First, entries like these in splunkd.log:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;05-19-2019 21:39:25.397 +0000 ERROR StreamGroup - failed to drain remainder total_sz=3 bytes_freed=560 avg_bytes_per_iv=186 sth=0x7f2dde3fdd50: [1558301964, /opt/splunk/var/lib/splunk/defaultdb/db/hot_v1_0, 0x7f2dd8e6a8a0] reason=st_sync failed rc=-6 warm_rc=[-35,1]&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Second, when I look in the directory for any bucket, such as &lt;CODE&gt;defaultdb/&lt;/CODE&gt; (main) or &lt;CODE&gt;_internaldb/&lt;/CODE&gt; (_internal), I see hundreds and hundreds of files with the string &lt;CODE&gt;.pre&lt;/CODE&gt; in them:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;-rw------- 1 root root 2004 May 19 14:44 1558302293-1558302293-9702670806338853527.pre-tsidx&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;So the data is making it to disk in some form, it's just not searchable.&lt;/P&gt;

&lt;P&gt;To reproduce, here's a Vagrantfile:&lt;/P&gt;

&lt;BLOCKQUOTE&gt;
&lt;P&gt;Vagrant.configure("2") do |config|&lt;BR /&gt;&lt;BR /&gt;
config.vm.box = "minimal/centos7"&lt;BR /&gt;&lt;BR /&gt;
config.vm.network "forwarded_port",&lt;BR /&gt;
guest: 8080, host: 8080&lt;BR /&gt;&lt;BR /&gt;
config.vm.provider "virtualbox" do&lt;BR /&gt;
|vb|&lt;BR /&gt;
     vb.memory = "2048"&lt;BR /&gt;
     vb.cpus = 2   end end&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;

&lt;P&gt;You'll need to install Docker, but &lt;CODE&gt;yum install -y docker &amp;amp;&amp;amp; systemctl start docker&lt;/CODE&gt; should suffice.&lt;/P&gt;

&lt;P&gt;Then, you'll need to start my (Dockerized) &lt;A href="https://github.com/dmuth/splunk-network-health-check"&gt;Splunk App&lt;/A&gt;:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;SPLUNK_PORT=8080 SPLUNK_START_ARGS=--accept-license bash &amp;lt;(curl -s &lt;A href="https://raw.githubusercontent.com/dmuth/splunk-network-health-check/master/go.sh)" target="test_blank"&gt;https://raw.githubusercontent.com/dmuth/splunk-network-health-check/master/go.sh)&lt;/A&gt;&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;As soon as Splunk starts up, running &lt;CODE&gt;ls -l splunk-data/defaultdb/db/hot_v1_0/&lt;/CODE&gt; will show those files.&lt;/P&gt;

&lt;P&gt;I've never seen anything any error like this before (nor has Google, apparently), so any help or pointers would be appreciated. &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;This is with Splunk version &lt;CODE&gt;Splunk 7.2.5 (build 088f49762779)&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
    <pubDate>Sun, 19 May 2019 21:50:55 GMT</pubDate>
    <dc:creator>dmuth1</dc:creator>
    <dc:date>2019-05-19T21:50:55Z</dc:date>
    <item>
      <title>Splunk not working across Vagrant Synced folder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-working-across-Vagrant-Synced-folder/m-p/381803#M68855</link>
      <description>&lt;P&gt;I have an interesting problem--I'm on a Mac, and due to an &lt;A href="https://github.com/docker/for-mac/issues/3674"&gt;entirely different issue&lt;/A&gt;, I can't reliably run Splunk in OS/X Docker implementation.  &lt;/P&gt;

&lt;P&gt;No problem--I went and spun up a Vagrant instance running CentOS and decided to run Docker there, and run Splunk in Docker.  Seems easy enough, but I ran into any interesting problem: data was being ingested (and showed up in real-time searches), but not syncing to disk.  Further investigation revealed that when writing to the internal filesystem in the Vagrant container, the issue did not repeat, but if I tried writing over a directory that is synced to the host filesystem, the problem would show up.&lt;/P&gt;

&lt;P&gt;Specifically, there are two things I'm seeing.  First, entries like these in splunkd.log:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;05-19-2019 21:39:25.397 +0000 ERROR StreamGroup - failed to drain remainder total_sz=3 bytes_freed=560 avg_bytes_per_iv=186 sth=0x7f2dde3fdd50: [1558301964, /opt/splunk/var/lib/splunk/defaultdb/db/hot_v1_0, 0x7f2dd8e6a8a0] reason=st_sync failed rc=-6 warm_rc=[-35,1]&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Second, when I look in the directory for any bucket, such as &lt;CODE&gt;defaultdb/&lt;/CODE&gt; (main) or &lt;CODE&gt;_internaldb/&lt;/CODE&gt; (_internal), I see hundreds and hundreds of files with the string &lt;CODE&gt;.pre&lt;/CODE&gt; in them:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;-rw------- 1 root root 2004 May 19 14:44 1558302293-1558302293-9702670806338853527.pre-tsidx&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;So the data is making it to disk in some form, it's just not searchable.&lt;/P&gt;

&lt;P&gt;To reproduce, here's a Vagrantfile:&lt;/P&gt;

&lt;BLOCKQUOTE&gt;
&lt;P&gt;Vagrant.configure("2") do |config|&lt;BR /&gt;&lt;BR /&gt;
config.vm.box = "minimal/centos7"&lt;BR /&gt;&lt;BR /&gt;
config.vm.network "forwarded_port",&lt;BR /&gt;
guest: 8080, host: 8080&lt;BR /&gt;&lt;BR /&gt;
config.vm.provider "virtualbox" do&lt;BR /&gt;
|vb|&lt;BR /&gt;
     vb.memory = "2048"&lt;BR /&gt;
     vb.cpus = 2   end end&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;

&lt;P&gt;You'll need to install Docker, but &lt;CODE&gt;yum install -y docker &amp;amp;&amp;amp; systemctl start docker&lt;/CODE&gt; should suffice.&lt;/P&gt;

&lt;P&gt;Then, you'll need to start my (Dockerized) &lt;A href="https://github.com/dmuth/splunk-network-health-check"&gt;Splunk App&lt;/A&gt;:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;SPLUNK_PORT=8080 SPLUNK_START_ARGS=--accept-license bash &amp;lt;(curl -s &lt;A href="https://raw.githubusercontent.com/dmuth/splunk-network-health-check/master/go.sh)" target="test_blank"&gt;https://raw.githubusercontent.com/dmuth/splunk-network-health-check/master/go.sh)&lt;/A&gt;&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;As soon as Splunk starts up, running &lt;CODE&gt;ls -l splunk-data/defaultdb/db/hot_v1_0/&lt;/CODE&gt; will show those files.&lt;/P&gt;

&lt;P&gt;I've never seen anything any error like this before (nor has Google, apparently), so any help or pointers would be appreciated. &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;This is with Splunk version &lt;CODE&gt;Splunk 7.2.5 (build 088f49762779)&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Sun, 19 May 2019 21:50:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-working-across-Vagrant-Synced-folder/m-p/381803#M68855</guid>
      <dc:creator>dmuth1</dc:creator>
      <dc:date>2019-05-19T21:50:55Z</dc:date>
    </item>
  </channel>
</rss>

