Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Checkpoint LEA pointer is reset, events are re-indexed

pajohnston
Explorer
‎07-30-2012 10:15 AM

I've recently set up LEA-LogGrabber, which is working fine from a communication point of view - the logs are being successfully retrieved from the Checkpoint Manager and fed into Splunk. However, I've noticed that I seem to be getting identical log entries repeated in my Splunk logs. This means that searches tend to return more data than necessary and also it's using up more of my daily Splunk license than it should.

It looks like the reference pointer in the file "lea_log_rec_num.cache" in $SPLUNK_HOME/etc/apps/lea-loggrabber-splunk/bin is somehow getting reset back to 0 regularly and therefore the whole logfile is being reread into Splunk on a regular basis.

For example, see the repeated commands below:

/opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache

13271

/opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache

13271

/opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache

0

/opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache

13271

Does anyone know what could be causing this behaviour and how to stop it from happening?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎07-30-2012 10:23 AM

This is a known bug in the current implementation of checkpointing for the OPSEC LEA app. Its internal defect reference is APP-70. The checkpoint which determines the offset of the last event we received from the OPSEC API gets reset to 0 when a connection attempt to the API fails. We are working to resolve this problem in a future release of this app.

View solution in original post

Reply
Solved! Jump to solution

lmyrefelt
Builder
‎07-31-2012 01:23 AM

We had this problem as well and in our case it was enough to increase the time between the data pulls against the Checkpoint Manager. I think we had problems with any setting under 15 or 20 minutes.

So my tip is to increase the time elapsed between your data pulls, hope that can help you.

Reply
Solved! Jump to solution

pajohnston
Explorer
‎07-31-2012 01:26 AM

OK, I'll try increasing the time between polls and see if that makes a difference. Thanks for the tip!

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎07-30-2012 10:23 AM

This is a known bug in the current implementation of checkpointing for the OPSEC LEA app. Its internal defect reference is APP-70. The checkpoint which determines the offset of the last event we received from the OPSEC API gets reset to 0 when a connection attempt to the API fails. We are working to resolve this problem in a future release of this app.

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎07-30-2012 03:07 PM

@pajohnston : There is no known work-around for this issue at this time, other than investigating and resolving the failed connection attempts to the Checkpoint API that cause the event read offset to be reset. This defect is currently being investigated, but unfortunately there is no ETA for the fix that I can share with you at this time.

Reply
Solved! Jump to solution

pajohnston
Explorer
‎07-30-2012 02:32 PM

OK, thanks for that. I'm glad that it's known about.

Do you know whether there is any way to work around the problem, and when it might be fixed?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...