Deployment Architecture

Is this a known issue that splunk-optimize.exe on windows is faulting?

simpkins1958
Contributor

Is this a known issue? Using Splunk Enterprise 7.0.2 on Windows Server 2012 R2.

Faulting application name: splunk-optimize.exe, version: 1792.512.23146.14948, time stamp: 0x5a6a3b8d
Faulting module name: ucrtbase.DLL, version: 10.0.10586.212, time stamp: 0x56fa10e8
Exception code: 0xc0000409
Fault offset: 0x0000000000068528
Faulting process id: 0xb0c
Faulting application start time: 0x01d3d72da73bc5d0
Faulting application path: C:\Program Files\splunk\bin\splunk-optimize.exe
Faulting module path: C:\Program Files\splunk\bin\ucrtbase.DLL
Report Id: eab32659-4320-11e8-80ca-0050569719bd
Faulting package full name: 
Faulting package-relative application ID: 

Speedy1968
New Member

Hi,
we also test splunk. But get the same errors on the splunk server. All About 10 minutes splunk-optimize.exe crashes. Additionally this server has a high cpu caused by splunkd.exe. May we set some configuration to stop these issues?

Regards
Frank

0 Karma

simpkins1958
Contributor

Log file info:

04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824_SplunkOptimize) Logging configuration: verbose=1, log2splunk=1
04-16-2018 09:55:37.247 -0700 INFO SplunkOptimize - (child_531824SplunkOptimize) splunk-optimize start: dir=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4 mode=0 isfinal=false max_iteration=2147483647 min_src_count=8 lex_tpb=64
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_0=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897731-1523897731-13561173308247173833.tsidx sz=4261
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_1=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897733-1523897733-13612458228533476581.tsidx sz=4577
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_2=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897717-1523897717-12926469784342936364.tsidx sz=6629
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_3=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897714-1523897714-12797656349266986398.tsidx sz=7568
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_4=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897722-1523897722-13184096697444471740.tsidx sz=7891
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_5=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897720-1523897720-13054467136977953536.tsidx sz=7925
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_6=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897725-1523897725-13312179807691478568.tsidx sz=7960
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
SplunkOptimize) source_7=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897730-1523897730-13538754480905189005.tsidx sz=29914
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824
_SplunkOptimize) source_8=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897712-1523897538-12711880831551459716.tsidx sz=121754
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824SplunkOptimize) intermediate=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\7584-1523897736.merge
04-16-2018 09:55:37.247 -0700 DEBUG SplunkOptimize - (child_531824SplunkOptimize) target=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4\1523897733-1523897538-13699309549895350546.tsidx
04-16-2018 09:55:37.247 -0700 INFO SplunkOptimize - (child_531824SplunkOptimize) optimize finished: files merged successfully, dir=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4, rc=0 (unsigned 0), errno=87

04-16-2018 09:55:37.247 -0700 INFO SplunkOptimize - (child_531824SplunkOptimize) optimize finished: no suitable pair of tsidx found for optimize, dir=E:\Program Files\Splunk\var\lib\splunk_internaldb\db\hot_v1_4, rc=-31 (unsigned 225), errno=18
04-16-2018 09:55:37.247 -0700 INFO SplunkOptimize - (child_531824SplunkOptimize) exiting splunk-optimize process with rc=-31 (unsigned 225)

0 Karma

Speedy1968
New Member

We are testing splunk with uberAgent and having the same issues with splunk-optimize.exe. About all 10 minutes the application crashes 3 to 4 times. Additionally splunkd.exe caused a high cpu. Should we Change some settings? What's going wrong here

0 Karma

steven_winslow
Explorer

I'm having a similar issue with UF 7.0.2 and Windows Server 2012 R2. Except instead of splunk-optimize.exe, I'm having issues with splunk-winevtlog.exe and splunk-perfmon.exe.

I'm running SCEP for AV and the machine is an IIS server. AV Definition updates and the IIS worker process w3wp.exe are secondary suspects for us.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...