All Apps and Add-ons

Splunk Add-on for AWS: Why are there Issues with Kinesis Pull?

chrisboy68
Contributor

Hi, Running 5.04 of the Add On - on a HF Splunk 8.1.3. Randomly an input just stops ingesting. There is nothing in the logs, even with DEBUG on. Loggin on this app is poor (rant).

Anyone run into similar issues? Tips, suggestions?  Nothing showing up in the splunkd DEBUG logs either. 

 

Thanks

 

Chris

Labels (1)
Tags (4)
0 Karma

chrisboy68
Contributor

Thanks for the suggestion. Yes, they are sending to the stream. 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@chrisboy68 

You must be using Kinesis Data Streams?  It's unstable usually doesn't log much when the real-time streaming is too much. Check was there increase of logs stream logs before it has stopped.

check the _internals modinputs logs... keywords *shard*, *Thread* .  Did you check this sourcetype 'aws:kinesis:log'?

Restart of HF usually fixes the issues.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@chrisboy68 can you verify kinesis activity on AWS was it sending the stream?

Further you can update the following settings, Spec says

[global_settings]
use_hec = 0 or 1, use Http Event collector to inject data
hec_port = 8088, Http Event Collector port
use_kv_store = 0 or 1, use KVStore to do ckpt
use_multiprocess = 0 or 1, use use_multiprocess to do data collection

change them to,

#aws_kinesis.conf
[global_settings]
use_hec = 1
use_multiprocess = 0

---

An upvote would be appreciated and Accept solution if it helps!

0 Karma

chrisboy68
Contributor

Hi, yes we are sure the stream has data. We have seen this issue on multiple inputs. We have a case in process.

 

Thanks for helping

 

Chris

0 Karma

wongki
Explorer

Hey @chrisboy68 . Was this solved? We have Splunk Enterprise 8.2.3 running Splunk_TA_aws 5.2.0. At the rate it's going, Splunk will never be able to ingest fully even after retention period. All config is default.

0 Karma

chrisboy68
Contributor

No. We ended up going with another solution (product outside of Splunk). The TA was very buggy and does not scale or cluster aware (just one HF doing work). It caused us many headaches. For smaller shops, I'm sure it works fine.

 

Chris

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...