All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Add-on for AWS: Why are there Issues with Kinesis Pull?

chrisboy68
Contributor
‎06-30-2021 03:14 PM

Hi, Running 5.04 of the Add On - on a HF Splunk 8.1.3. Randomly an input just stops ingesting. There is nothing in the logs, even with DEBUG on. Loggin on this app is poor (rant).

Anyone run into similar issues? Tips, suggestions?  Nothing showing up in the splunkd DEBUG logs either. 

 

Thanks

 

Chris

Labels (1)
Labels
Tags (4)
0 Karma
Reply

chrisboy68
Contributor
‎07-01-2021 04:47 AM

Thanks for the suggestion. Yes, they are sending to the stream. 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 05:51 PM

@chrisboy68 

You must be using Kinesis Data Streams?  It's unstable usually doesn't log much when the real-time streaming is too much. Check was there increase of logs stream logs before it has stopped.

check the _internals modinputs logs... keywords *shard*, *Thread* .  Did you check this sourcetype 'aws:kinesis:log'?

Restart of HF usually fixes the issues.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 06:54 PM

@chrisboy68 can you verify kinesis activity on AWS was it sending the stream?

Further you can update the following settings, Spec says

[global_settings]
use_hec = 0 or 1, use Http Event collector to inject data
hec_port = 8088, Http Event Collector port
use_kv_store = 0 or 1, use KVStore to do ckpt
use_multiprocess = 0 or 1, use use_multiprocess to do data collection

change them to,

#aws_kinesis.conf
[global_settings]
use_hec = 1
use_multiprocess = 0

---

An upvote would be appreciated and Accept solution if it helps!

0 Karma
Reply

chrisboy68
Contributor
‎07-02-2021 11:31 AM

Hi, yes we are sure the stream has data. We have seen this issue on multiple inputs. We have a case in process.

 

Thanks for helping

 

Chris

0 Karma
Reply

wongki
Explorer
‎07-19-2022 09:21 AM

Hey @chrisboy68 . Was this solved? We have Splunk Enterprise 8.2.3 running Splunk_TA_aws 5.2.0. At the rate it's going, Splunk will never be able to ingest fully even after retention period. All config is default.

0 Karma
Reply

chrisboy68
Contributor
‎07-21-2022 05:41 AM

No. We ended up going with another solution (product outside of Splunk). The TA was very buggy and does not scale or cluster aware (just one HF doing work). It caused us many headaches. For smaller shops, I'm sure it works fine.

 

Chris

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...