Question About SPL for SplunkD Shutdown

McMac84 · ‎10-28-2022

Hi all, I am new to Splunk and am trying to look for logs that indicate that the SplunkD service shutdown. I am trying this, but I am not sure if there's a better one:

index=_internal sourcetype="splunkd" keywords "*shut"

richgalloway · ‎10-28-2022

That query is close. Try this

index=_internal sourcetype="splunkd" source=*splunkd.log "shut*"

You also could try searching for component=shutdown

---
If this reply helps you, Karma would be appreciated.

schose · ‎10-28-2022

Hi,

i would go with this event in splunkd.log:

"IndexProcessor [5762669 MainThread] - request state change from=RUN to=SHUTDOWN_SIGNALED"

this is triggering Splunk to shutdown..

last events at shutdown looks like this:

10-28-2022 16:35:56.890 +0100 INFO  Shutdown [5763136 Shutdown] - shutting down level="ShutdownLevel_Duo2FAHttpClient"
10-28-2022 16:35:56.890 +0100 INFO  Shutdown [5763136 Shutdown] - shutting down level="ShutdownLevel_S3ConnectionPoolManager"
10-28-2022 16:35:56.891 +0100 INFO  Shutdown [5763136 Shutdown] - shutting down level="ShutdownLevel_WorkloadManager"
10-28-2022 16:35:56.894 +0100 INFO  loader [5762669 MainThread] - All pipelines finished

meaning shutdown could be measured with this:

index=_internal sourcetype="splunkd" source=*splunkd.log  (request state change from=RUN to=SHUTDOWN_SIGNALED) OR (Shutdown shutting down level=*) | transaction startswith=SHUTDOWN_SIGNALED | table _time duration

best regards,

Andreas

Question About SPL for SplunkD Shutdown

indexer

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023