Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stopping splunk after upgrade to 6.3.3: "Could not kill pid"

tobb
New Member
‎01-24-2017 06:32 AM

Regarding Splunk Universal Forwarder 6.3.3
OS: AIX 7100-03-03-1415

Hello

I'm using a script to upgrade splunk forwarder on our servers.
The script is run from a single server and uses rsh to do the nessesary work.

In essence the script does the following:

#Disable boot-start
$output = `rsh $target /opt/splunkforwarder/bin/splunk disable boot-start 2>&1`;

#Stop Splunk
$output = `rsh $target /opt/splunkforwarder/bin/splunk stop 2>&1`;

#It then backs up some configuration files...

#Remove Splunk
$output = `rsh $target rm -r /opt/splunkforwarder 2>&1`;

#Extract Splunk
$output = `rsh $target "(cd /opt && tar -xf /tmp/$base)" 2>&1`;

#Re-deploy configuration files...

#Set permissions
$output = `rsh $target chown -R splunk:staff /opt/splunkforwarder/ 2>&1`;

#Start Splunk
$output = `rsh $target /opt/splunkforwarder/bin/splunk start --accept-license 2>&1`;

#Enable boot-start
$output = `rsh $target /opt/splunkforwarder/bin/splunk enable boot-start -user splunk 2>&1`;

The script runs without problems and we get the upgraded servers to start indexing. Everything looks to be working.

However, I'm having some trouble trying to stop splunk forwarder on the upgraded servers...

Basically when trying to run (as root):
$ /opt/splunkforwarder/bin/splunk stop
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
Could not kill pid 41156748.

A quick $ ps -ef | grep splunkd | grep -v grep shows:
root 41156748 splunkd -p 8089 start
root 41680960 [splunkd pid=41156748] splunkd -p 8089 start [process-runner]

And just to be sure $ whoami
root

Can someone please explain what's going on here, so we can fix this?

Thanks! 🙂

0 Karma
Reply

emeelan_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 12:56 PM

I think you might find the answer to your problem here: https://answers.splunk.com/answers/40435/error-unable-to-stop-splunk-helpers.html

let me know if this helps!

0 Karma
Reply

tobb
New Member
‎01-25-2017 03:45 AM

I have tried that, but with the same result. I did it as root here just to illustrate that it's most likely not a permissions-problem.

test30:/opt/splunkforwarder/var/log/splunk> su splunk -c /opt/splunkforwarder/bin/splunk stop
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
Could not kill pid 13238426.

I would also add that the same thing happens when using the System Resource Controller directly
test30:/opt/splunkforwarder/var/log/splunk> stopsrc -s splunkd
0513-004 The Subsystem or Group, splunkd, is currently inoperative.

0 Karma
Reply

skalliger
Motivator
‎01-25-2017 06:29 AM

Well, I would open a support case then to see if there are any known problems.

0 Karma
Reply

skalliger
Motivator
‎01-25-2017 03:05 AM

Usually I would try to add root to the splunk group, in your case add root to staff. The question is, why are you stopping the process as root? I would atleast do sudo -u splunk -c 'the command needed'.

Skalli

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...