Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk indexers crashing

ajji2684
Engager
‎12-18-2013 08:23 AM

Team,

We have added 1800 more forwarders that report very small data (around 100MB all to gether)to Splunk, as soon as we started them , splunk indexers started crashing and they are crashing repeatedly soon after we start.

We are running on AIX and splunk version is 4.3.3
in the crash log am seeing below message

Received fatal signal 11 (Segmentation fault).
Cause:
Memory access denied at address [0x00000004].
Crashing thread: TcpInputProcessor
Registers:
IAR: [0x10031E3C] ?

any help would be appreacieated

Tags (2)
Reply

ShaneNewman
Motivator
‎12-18-2013 08:19 PM

We saw the same thing on our AIX indexer. Every time we restarted the instance it would crash within 5-10 minutes. After dealing with this for about 3 days, we upgraded to 6.0 and that did not help either.

One of my co-workers put in a ticket with Splunk, nothing useful ever came of it though.

At the end of the day, we ended up converting that server from an indexer to a heavy forwarder. It has been up for 2 months now with no issues. We still have it doing all of the extractions and reassigning indexes/sourcetypes based on eventtypes and regex matches, the only change was to stop indexing on that server.

You can always submit your own ticket to Splunk, go to the /opt/Splunk/bin directory and run splunk diag. This will give you a rather large file to upload to your support ticket, if your company does not pay for support... be prepared to wait a few days for a response.

0 Karma
Reply

RishiMandal
Explorer
‎05-14-2019 02:05 PM

Same here. we kept it idle for one year, just like a dummy server without splunk running. We recently upgraded to 7 version and started hoping the indexer runs smooth, but still the same issue
FATAL ProcessRunner - Unexpected EOF from process runner child!
FATAL ProcessRunner - Unexpected EOF from process runner child!

0 Karma
Reply

gfuente
Motivator
‎12-18-2013 08:26 AM

Hello

Did you set the server ulimits properly?

http://docs.splunk.com/Documentation/Splunk/6.0/Troubleshooting/ulimitErrors

Regards

0 Karma
Reply

ajji2684
Engager
‎12-18-2013 08:37 AM

yes,

Ulimit is set to unlimited

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...