Solved: Re: libpcre.so.0 error of bloom command

takol · ‎11-28-2012

Installed Splunk 5.0.1 on Gentoo Linux (x64). Execute "/opt/splunk/bin/bloom" and get the error message:

/opt/splunk/bin/splunkd: error while loading shared libraries: libpcre.so.0: cannot open shared object file: No such file or directory

Manually added a symbol link from /usr/lib64/libpcre.so to /usr/lib64/libpcre.so.0 and execute bloom again. Get the error message:

/opt/splunk/bin/splunkd: error while loading shared libraries: /usr/lib64/libpcre.so.0: invalid ELF header

Is the error coming from the os library or the bloom utility?

takol · ‎11-29-2012

We find the bloom utility can work fine if we use splunk cmd to execute it.

$SPLUNK_HOME/bin/splunk cmd bloom

The same libpcre.so.0 error occur when we execute btool utility directly on Gentoo Linux (x64). The above libpcre.so.0 error will not be triggered on Mac OS X.

View solution in original post

takol · ‎11-29-2012

We find the bloom utility can work fine if we use splunk cmd to execute it.

$SPLUNK_HOME/bin/splunk cmd bloom

The same libpcre.so.0 error occur when we execute btool utility directly on Gentoo Linux (x64). The above libpcre.so.0 error will not be triggered on Mac OS X.

Drainy · ‎11-30-2012

Yes, btool is supported. As I said above, my answer wasn't directed at the error you were experiencing. Running commands with Splunk cmd just enables them to use the libraries included with Splunk. If they throw an error or not is irrelevant to if it is supported or buggy 🙂 In this case, the bloom command "executes" - but as per my post below, it creates duplicate buckets and doesn't actually work and so is unsupported. Btool should always be used and is encouraged! Its a great tool.

takol · ‎11-30-2012

For your reference, the btool has the same situation. Execute btool directly come out the libpcre.so.0 error. Using splunk cmd to call btool works fine. So, the btool should be supported by splunk, right?

Drainy · ‎11-30-2012

Its a big product and there are a lot of elements to it, I expect it was still either being tested or a bug was found after release with it. It is listed in the known issues that all customers read before installing, however, so it is at least well publicised.

takol · ‎11-30-2012

Why this utility publish to customers if is unsupported?

Drainy · ‎11-30-2012

Just to be clear, my post below was unrelated to your error. The bloom command is still unsupported, however it is called, as it is currently causing damage to bloom filters and should not be used.

Drainy · ‎11-29-2012

Why are you trying to use the bloom utility? You shouldn't be trying to use this at the moment.

As per the known issues;

•The $SPLUNK_HOME/bin/bloom utility is unsupported and creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility. (SPL-50742)

If you have a particular problem, throw it up here and we'll see if theres another way to fix it or if its alright 🙂

takol · ‎11-29-2012

Thanks, Drainy. We will ignore the bloom utility problem and use splunk fsck command.

Drainy · ‎11-29-2012

you should be using fsck, this should repair any damage. http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/HowSplunkstoresindexes#Troubleshoot_your_buc...

takol · ‎11-29-2012

We configure indexes.conf and put bloom filter in separate volume (a SSD to accelerate searching). How to rebuild the bloom filter once the volume has crashed without bloom utility?

libpcre.so.0 error of bloom command

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life