Hi, Running 5.04 of the Add On - on a HF Splunk 8.1.3. Randomly an input just stops ingesting. There is nothing in the logs, even with DEBUG on. Loggin on this app is poor (rant).
Anyone run into similar issues? Tips, suggestions? Nothing showing up in the splunkd DEBUG logs either.
Thanks
Chris
Thanks for the suggestion. Yes, they are sending to the stream.
You must be using Kinesis Data Streams? It's unstable usually doesn't log much when the real-time streaming is too much. Check was there increase of logs stream logs before it has stopped.
check the _internals modinputs logs... keywords *shard*, *Thread* . Did you check this sourcetype 'aws:kinesis:log'?
Restart of HF usually fixes the issues.
@chrisboy68 can you verify kinesis activity on AWS was it sending the stream?
Further you can update the following settings, Spec says
[global_settings]
use_hec = 0 or 1, use Http Event collector to inject data
hec_port = 8088, Http Event Collector port
use_kv_store = 0 or 1, use KVStore to do ckpt
use_multiprocess = 0 or 1, use use_multiprocess to do data collection
change them to,
#aws_kinesis.conf
[global_settings]
use_hec = 1
use_multiprocess = 0
---
An upvote would be appreciated and Accept solution if it helps!
Hi, yes we are sure the stream has data. We have seen this issue on multiple inputs. We have a case in process.
Thanks for helping
Chris
Hey @chrisboy68 . Was this solved? We have Splunk Enterprise 8.2.3 running Splunk_TA_aws 5.2.0. At the rate it's going, Splunk will never be able to ingest fully even after retention period. All config is default.
No. We ended up going with another solution (product outside of Splunk). The TA was very buggy and does not scale or cluster aware (just one HF doing work). It caused us many headaches. For smaller shops, I'm sure it works fine.
Chris