https://community.splunk.com/t5/Splunk-Search/crash-log-on-searches-using-cidrmatch/m-p/46089#M11007 <P>thanks jbsplunk, hares to you!!</P> Tue, 08 May 2012 16:59:37 GMT Chubbybunny 2012-05-08T16:59:37Z https://community.splunk.com/t5/Splunk-Search/crash-log-on-searches-using-cidrmatch/m-p/46087#M11005 <P>searches that utilize 'cidrmatch' are generating a number of crash logs at the bunny farm today.</P> <PRE><CODE>[build 123586] 2012-05-07 15:58:43 Received fatal signal 6 (Aborted). Cause: Signal sent by PID 22949 running under UID 0. Crashing thread: Main Thread Registers: RIP: [0x00007FCD0F366A75] gsignal + 53 (/lib/libc.so.6) RDI: [0x00000000000059A5] RSI: [0x00000000000059A5] RBP: [0x00007FCD0F47A17A] RSP: [0x00007FFFCDE9E058] RAX: [0x0000000000000000] RBX: [0x00007FFFCDEA179C] RCX: [0xFFFFFFFFFFFFFFFF] RDX: [0x0000000000000006] R8: [0x00007FCD10CB6700] R9: [0x00007FCD0F47C0D1] R10: [0x0000000000000008] R11: [0x0000000000000206] R12: [0x0000000001195085] R13: [0x0000000001332AC0] R14: [0x00007FCD0F47A17A] R15: [0x0000000000000084] EFL: [0x0000000000000206] TRAPNO: [0x0000000000000000] ERR: [0x0000000000000000] CSGSFS: [0x0000000000000033] OLDMASK: [0x0000000000000000] OS: Linux Arch: x86-64 Backtrace: [0x00007FCD0F36A5C0] abort + 384 (/lib/libc.so.6) [0x00007FCD0F35F941] __assert_fail + 241 (/lib/libc.so.6) [0x0000000000D13800] _ZN22SPathFunctionEvaluator11outputFieldERK3StrS2_ + 0 (s plunkd) [0x0000000000D0EAB4] _ZNK17CidrMatchFunction2goEP16EvaluatorContext + 148 (spl unkd) [0x0000000000C8A8E3] _ZNK21FunctionEvaluatorNode8evaluateEP16EvaluatorContext + 67 (splunkd) [0x0000000000C8D346] _ZNK10ORFunction8evaluateEP16EvaluatorContext + 38 (splun kd) Linux / sc9-splunk-l2 / 2.6.32-32-generic / #62-Ubuntu SMP Wed Apr 20 21:52:38 UTC 2011 / x86_64 /etc/debian_version: squeeze/sid glibc version: 2.11.1 glibc release: stable Threads running: 2 argv: [splunkd search --id=remote_sc9-splunk-security-search_1336431517.68 --max buckets=0 --ttl=60 --maxout=0 --maxtime=0 --lookups=1 --streaming --outCsv=true --user=sowings --pro --roles=admin:power:user] terminating... </CODE></PRE> <P>Anyone else observing similar crashes with 'cidrmatch' in 4.3.x OR is it just my farm?</P> <PRE><CODE>(\__/) (='.'=) (")_(") </CODE></PRE> Tue, 08 May 2012 16:53:52 GMT https://community.splunk.com/t5/Splunk-Search/crash-log-on-searches-using-cidrmatch/m-p/46087#M11005 Chubbybunny 2012-05-08T16:53:52Z https://community.splunk.com/t5/Splunk-Search/crash-log-on-searches-using-cidrmatch/m-p/46088#M11006 <P>It isn't just you, this is a known issue:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/releasenotes/KnownIssues">http://docs.splunk.com/Documentation/Splunk/latest/releasenotes/KnownIssues</A></P> <P>This is being tracked as SPL-49828. The good news is there is a workaround:</P> <P>All you need to do is replace: </P> <P>'cidrmatch(A, B)' </P> <P>with: </P> <P>'if(typeof(B, "String"), cidrmatch(A, B), null())' </P> Tue, 08 May 2012 16:56:48 GMT https://community.splunk.com/t5/Splunk-Search/crash-log-on-searches-using-cidrmatch/m-p/46088#M11006 jbsplunk 2012-05-08T16:56:48Z https://community.splunk.com/t5/Splunk-Search/crash-log-on-searches-using-cidrmatch/m-p/46089#M11007 <P>thanks jbsplunk, hares to you!!</P> Tue, 08 May 2012 16:59:37 GMT https://community.splunk.com/t5/Splunk-Search/crash-log-on-searches-using-cidrmatch/m-p/46089#M11007 Chubbybunny 2012-05-08T16:59:37Z