https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23720#M256 <P>Trying to figure out what these crash logs mean, I get some every minute, sometimes multiple times:</P> <PRE> [build 149561] 2013-08-02 14:40:02 Received fatal signal 6 (Aborted). Cause: Signal sent by PID 22532 running under UID 0. Crashing thread: dispatch Registers: RIP: [0x00000037B5A30285] gsignal + 53 (/lib64/libc.so.6) RDI: [0x0000000000005804] RSI: [0x0000000000005810] RBP: [0x00002AF474800940] RSP: [0x00002AF4747FD568] RAX: [0x0000000000000000] RBX: [0x00002AF4747FD610] RCX: [0xFFFFFFFFFFFFFFFF] RDX: [0x0000000000000006] R8: [0x0000000000000080] R9: [0x0101010101010101] R10: [0x0000000000000008] R11: [0x0000000000000202] R12: [0x00002AF4753BB8D0] R13: [0x00002AF4753BBA78] R14: [0x00002AF4751A1B40] R15: [0x00002AF4747FDB80] EFL: [0x0000000000000202] TRAPNO: [0x0000000000000000] ERR: [0x0000000000000000] CSGSFS: [0x0000000000000033] OLDMASK: [0x0000000000000000] OS: Linux Arch: x86-64 Backtrace: [0x00000037B5A30285] gsignal + 53 (/lib64/libc.so.6) [0x00000037B5A31D30] abort + 272 (/lib64/libc.so.6) [0x00000000012EB52E] _ZN9__gnu_cxx27__verbose_terminate_handlerEv + 318 ([splunkd) [0x00000000012EB186] _ZN10__cxxabiv111__terminateEPFvvE + 6 ([splunkd) [0x00000000012EB1B3] ? ([splunkd) [0x00000000012EB0AF] ? ([splunkd) [0x0000000000B3FB5A] _ZN15SearchEvaluator10lispyQueryER3StrR7TimevalS3_R9StrVectorRKS2_S7_b + 474 ([splunkd) [0x00000000008AF449] _ZN17IndexScopedSearch4initERK7TimevalS2_bP14LookupOperatorP12FieldAliaserP18CalcFieldProcessorPKSt3setI10CMBucketIdSt4lessISA_ESaISA_EE + 633 ([splunkd) [0x0000000000898795] _ZN14SearchOperator8evalArgsER17SearchResultsInfo + 9701 ([splunkd) [0x0000000000E29E73] _ZN14SearchPipeline8evalArgsER17SearchResultsInfo + 99 ([splunkd) [0x00000000008D168F] _ZN22BucketSummaryProcessor8evalArgsER17SearchResultsInfo + 8991 ([splunkd) [0x0000000000E29E73] _ZN14SearchPipeline8evalArgsER17SearchResultsInfo + 99 ([splunkd) [0x0000000000ED33A1] _ZN14DispatchThread8evaluateEbb + 16097 ([splunkd) [0x0000000000ECB7B1] _ZN14DispatchThread8mainImplEv + 4417 ([splunkd) [0x0000000000ECE74E] _ZN14DispatchThread4mainEv + 254 ([splunkd) [0x0000000000DA2F32] _ZN6Thread8callMainEPv + 66 ([splunkd) [0x00000037B620683D] ? (/lib64/libpthread.so.0) [0x00000037B5AD4FAD] clone + 109 (/lib64/libc.so.6) Linux / ZAS1UXP-0109 / 2.6.18-348.6.1.el5 / #1 SMP Fri Apr 26 09:21:26 EDT 2013 / x86_64 Last few lines of stderr (may contain info on assertion failure, but also could be old): 2013-05-02 16:30:01.334 -0400 splunkd started (build 149561) 2013-05-09 21:04:08.357 -0400 Interrupt signal received 2013-05-09 21:08:48.739 -0400 splunkd started (build 149561) 2013-05-23 12:52:57.349 -0400 Interrupt signal received 2013-05-23 12:54:03.366 -0400 splunkd started (build 149561) 2013-06-06 20:04:15.593 -0400 Interrupt signal received 2013-06-06 20:10:14.241 -0400 splunkd started (build 149561) 2013-06-17 14:14:49.882 -0400 Interrupt signal received 2013-06-17 14:15:24.634 -0400 splunkd started (build 149561) 2013-06-17 14:18:05.896 -0400 Interrupt signal received 2013-06-17 14:19:14.726 -0400 splunkd started (build 149561) 2013-06-17 14:32:13.302 -0400 Interrupt signal received 2013-06-17 14:33:25.088 -0400 splunkd started (build 149561) /etc/redhat-release: Red Hat Enterprise Linux Server release 5.9 (Tikanga) glibc version: 2.5 glibc release: stable Threads running: 3 argv: [splunkd -p 8089 restart] Process renamed: [splunkd pid=25781] splunkd -p 8089 restart [process-runner] Process renamed: [splunkd pid=25781] search --id=scheduler__admin__ipreputation__RMD526d08b3e8e7938df_at_1375468800_211990 --maxbuckets=0 --ttl=60 --maxout=500000 --maxtime=8640000 --lookups=1 --reduce_freq=10 --user=admin --pro --roles=admin:power:user Crash log write attempted over the limit of (50kB), skipping. </PRE> Fri, 02 Aug 2013 18:47:34 GMT jonathan_cooper 2013-08-02T18:47:34Z https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23720#M256 <P>Trying to figure out what these crash logs mean, I get some every minute, sometimes multiple times:</P> <PRE> [build 149561] 2013-08-02 14:40:02 Received fatal signal 6 (Aborted). Cause: Signal sent by PID 22532 running under UID 0. Crashing thread: dispatch Registers: RIP: [0x00000037B5A30285] gsignal + 53 (/lib64/libc.so.6) RDI: [0x0000000000005804] RSI: [0x0000000000005810] RBP: [0x00002AF474800940] RSP: [0x00002AF4747FD568] RAX: [0x0000000000000000] RBX: [0x00002AF4747FD610] RCX: [0xFFFFFFFFFFFFFFFF] RDX: [0x0000000000000006] R8: [0x0000000000000080] R9: [0x0101010101010101] R10: [0x0000000000000008] R11: [0x0000000000000202] R12: [0x00002AF4753BB8D0] R13: [0x00002AF4753BBA78] R14: [0x00002AF4751A1B40] R15: [0x00002AF4747FDB80] EFL: [0x0000000000000202] TRAPNO: [0x0000000000000000] ERR: [0x0000000000000000] CSGSFS: [0x0000000000000033] OLDMASK: [0x0000000000000000] OS: Linux Arch: x86-64 Backtrace: [0x00000037B5A30285] gsignal + 53 (/lib64/libc.so.6) [0x00000037B5A31D30] abort + 272 (/lib64/libc.so.6) [0x00000000012EB52E] _ZN9__gnu_cxx27__verbose_terminate_handlerEv + 318 ([splunkd) [0x00000000012EB186] _ZN10__cxxabiv111__terminateEPFvvE + 6 ([splunkd) [0x00000000012EB1B3] ? ([splunkd) [0x00000000012EB0AF] ? ([splunkd) [0x0000000000B3FB5A] _ZN15SearchEvaluator10lispyQueryER3StrR7TimevalS3_R9StrVectorRKS2_S7_b + 474 ([splunkd) [0x00000000008AF449] _ZN17IndexScopedSearch4initERK7TimevalS2_bP14LookupOperatorP12FieldAliaserP18CalcFieldProcessorPKSt3setI10CMBucketIdSt4lessISA_ESaISA_EE + 633 ([splunkd) [0x0000000000898795] _ZN14SearchOperator8evalArgsER17SearchResultsInfo + 9701 ([splunkd) [0x0000000000E29E73] _ZN14SearchPipeline8evalArgsER17SearchResultsInfo + 99 ([splunkd) [0x00000000008D168F] _ZN22BucketSummaryProcessor8evalArgsER17SearchResultsInfo + 8991 ([splunkd) [0x0000000000E29E73] _ZN14SearchPipeline8evalArgsER17SearchResultsInfo + 99 ([splunkd) [0x0000000000ED33A1] _ZN14DispatchThread8evaluateEbb + 16097 ([splunkd) [0x0000000000ECB7B1] _ZN14DispatchThread8mainImplEv + 4417 ([splunkd) [0x0000000000ECE74E] _ZN14DispatchThread4mainEv + 254 ([splunkd) [0x0000000000DA2F32] _ZN6Thread8callMainEPv + 66 ([splunkd) [0x00000037B620683D] ? (/lib64/libpthread.so.0) [0x00000037B5AD4FAD] clone + 109 (/lib64/libc.so.6) Linux / ZAS1UXP-0109 / 2.6.18-348.6.1.el5 / #1 SMP Fri Apr 26 09:21:26 EDT 2013 / x86_64 Last few lines of stderr (may contain info on assertion failure, but also could be old): 2013-05-02 16:30:01.334 -0400 splunkd started (build 149561) 2013-05-09 21:04:08.357 -0400 Interrupt signal received 2013-05-09 21:08:48.739 -0400 splunkd started (build 149561) 2013-05-23 12:52:57.349 -0400 Interrupt signal received 2013-05-23 12:54:03.366 -0400 splunkd started (build 149561) 2013-06-06 20:04:15.593 -0400 Interrupt signal received 2013-06-06 20:10:14.241 -0400 splunkd started (build 149561) 2013-06-17 14:14:49.882 -0400 Interrupt signal received 2013-06-17 14:15:24.634 -0400 splunkd started (build 149561) 2013-06-17 14:18:05.896 -0400 Interrupt signal received 2013-06-17 14:19:14.726 -0400 splunkd started (build 149561) 2013-06-17 14:32:13.302 -0400 Interrupt signal received 2013-06-17 14:33:25.088 -0400 splunkd started (build 149561) /etc/redhat-release: Red Hat Enterprise Linux Server release 5.9 (Tikanga) glibc version: 2.5 glibc release: stable Threads running: 3 argv: [splunkd -p 8089 restart] Process renamed: [splunkd pid=25781] splunkd -p 8089 restart [process-runner] Process renamed: [splunkd pid=25781] search --id=scheduler__admin__ipreputation__RMD526d08b3e8e7938df_at_1375468800_211990 --maxbuckets=0 --ttl=60 --maxout=500000 --maxtime=8640000 --lookups=1 --reduce_freq=10 --user=admin --pro --roles=admin:power:user Crash log write attempted over the limit of (50kB), skipping. </PRE> Fri, 02 Aug 2013 18:47:34 GMT https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23720#M256 jonathan_cooper 2013-08-02T18:47:34Z https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23721#M257 <P>Do they all reference the same scheduled search <CODE>ipreputation</CODE>?</P> Fri, 02 Aug 2013 21:29:17 GMT https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23721#M257 martin_mueller 2013-08-02T21:29:17Z https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23722#M258 <P>Are you using the right build for your OS? I mean, 32-bit vs 64-bit binaries of Splunk. Just a thought, since many people miss that out.</P> Sat, 03 Aug 2013 06:02:24 GMT https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23722#M258 miteshvohra 2013-08-03T06:02:24Z https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23723#M259 <P>This is obviously a dispatch error, probably a searchjob process crash. You have a problem with a scheduled search maybe "ipreputaion" that is going nuts, maybe memory explosion. Install the SOS app and turn on the ps_sos.sh (linux) or ps_sos.ps1 (windows powershell) script to monitor the memory usage of your searches.</P> Mon, 28 Sep 2020 14:29:54 GMT https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23723#M259 yannK 2020-09-28T14:29:54Z https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23724#M260 <P>@martin_mueller: No, multiple searches</P> <P>@miteshvohra: Yes</P> <P>VERSION=5.0.2<BR /> BUILD=149561<BR /> PRODUCT=splunk<BR /> PLATFORM=Linux-x86_64</P> <P>@yannK:</P> <P>I will look through SOS again to see if I can pinpoint.</P> <P>Thanks for all the feedback.</P> Mon, 05 Aug 2013 17:21:09 GMT https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23724#M260 jonathan_cooper 2013-08-05T17:21:09Z https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23725#M261 <P>@yannK:</P> <P>You were correct, I disabled the IP Reputation app and all it's saved/scheduled searches and things have been quiet. Seems to have a problem with it's pre-packaged searches. Thanks for the guidance.</P> Wed, 07 Aug 2013 13:37:33 GMT https://community.splunk.com/t5/Monitoring-Splunk/Crash-logs-galore/m-p/23725#M261 jonathan_cooper 2013-08-07T13:37:33Z