Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk indexers crashing

ajji2684
Engager
‎12-18-2013 08:23 AM

Team,

We have added 1800 more forwarders that report very small data (around 100MB all to gether)to Splunk, as soon as we started them , splunk indexers started crashing and they are crashing repeatedly soon after we start.

We are running on AIX and splunk version is 4.3.3
in the crash log am seeing below message

Received fatal signal 11 (Segmentation fault).
Cause:
Memory access denied at address [0x00000004].
Crashing thread: TcpInputProcessor
Registers:
IAR: [0x10031E3C] ?

any help would be appreacieated

Tags (2)
Reply

ShaneNewman
Motivator
‎12-18-2013 08:19 PM

We saw the same thing on our AIX indexer. Every time we restarted the instance it would crash within 5-10 minutes. After dealing with this for about 3 days, we upgraded to 6.0 and that did not help either.

One of my co-workers put in a ticket with Splunk, nothing useful ever came of it though.

At the end of the day, we ended up converting that server from an indexer to a heavy forwarder. It has been up for 2 months now with no issues. We still have it doing all of the extractions and reassigning indexes/sourcetypes based on eventtypes and regex matches, the only change was to stop indexing on that server.

You can always submit your own ticket to Splunk, go to the /opt/Splunk/bin directory and run splunk diag. This will give you a rather large file to upload to your support ticket, if your company does not pay for support... be prepared to wait a few days for a response.

0 Karma
Reply

RishiMandal
Explorer
‎05-14-2019 02:05 PM

Same here. we kept it idle for one year, just like a dummy server without splunk running. We recently upgraded to 7 version and started hoping the indexer runs smooth, but still the same issue
FATAL ProcessRunner - Unexpected EOF from process runner child!
FATAL ProcessRunner - Unexpected EOF from process runner child!

0 Karma
Reply

gfuente
Motivator
‎12-18-2013 08:26 AM

Hello

Did you set the server ulimits properly?

http://docs.splunk.com/Documentation/Splunk/6.0/Troubleshooting/ulimitErrors

Regards

0 Karma
Reply

ajji2684
Engager
‎12-18-2013 08:37 AM

yes,

Ulimit is set to unlimited

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...