All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

New scheduled exec process: python /opt/splunk/etc/apps/rest_ta/bin/rest.py at very high frequency until crash

nicolasjeanselm
Explorer
‎01-11-2018 01:24 PM

This issue occurs on two distincts linux splunk deployment using Splunk 6.6.4 and 7.0.1 and not on my 7.0.1 on mac os x

At some point the scheduler loops until splunk crashes:
1/11/18
8:54:45.680 PM

01-11-2018 20:54:45.680 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/rest_ta/bin/rest.py
host = splunky1 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
1/11/18
8:54:45.512 PM

01-11-2018 20:54:45.512 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/rest_ta/bin/rest.py
host = splunky1 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
1/11/18
8:54:45.461 PM

01-11-2018 20:54:45.461 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/rest_ta/bin/rest.py
host = splunky1 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
1/11/18
8:54:45.309 PM

01-11-2018 20:54:45.309 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/rest_ta/bin/rest.py
host = splunky1 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
1/11/18
8:54:44.626 PM

01-11-2018 20:54:44.626 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/rest_ta/bin/rest.py
host = splunky1 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd

Note 1:
The first anomaly before this behavior is that REST queries are sent with timestamps for which a REST call had already been issued and answered correctly instead of being increased by 30 minutes as configured in the handler
alt text

Note 2: a custom handler is used:
https://splunkbase.splunk.com/app/3850/

Preview file
1 KB
Reply

cyrillefranchet
Explorer
‎10-29-2018 03:21 AM

After doing some testing, this is due to the cookies that are dumped into the inputs.conf file. As soon as we have more than 2 inputs the scheduler crashes.

Commenting the cookies dump is the way to go to solve this issue.

I don't know why this is happening only on Windows and Linux. maybe something related to the modification time of the inputs.conf file.

0 Karma
Reply

cyrillefranchet
Explorer
‎10-26-2018 06:10 AM

Hi Nicolas,

Did you finally find an explanation regarding this issue? My splunkd consumes 110% of the CPU when I'm using this app with a custom responses handler.

Just checked your code and thought that you develop your own REST client for your purpose. Could you confirm?

Thanks.

0 Karma
Reply

cyrillefranchet
Explorer
‎10-26-2018 06:12 AM

That's funny my OSX doesn't complain as well but my production server on Windows is dying 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...