Installation

Clustered indexers constantly generating crash logs

zijian
Explorer

Hi,

I have two clustered indexers which are now constantly generating crash logs in /splunk/var/log/splunk every few minutes and is unable to figure out the cause from the crash log or the error in splunkd.log.

Would anyone here be able to shed some light on this?

Splunkd Error:

WARN SearchProcessRunner [19356 PreforkedSearchesManager-0] - preforked process=0/38 status=killed, signum=6, signame="Aborted", coredump=1, uptime_sec=37.282768, stime_sec=19.850199,
max_rss_kb=472688, vm_minor=902282, vm_major=37, fs_r_count=608, fs_w_count=50856, sched_vol=3413, sched_invol=10923

Contents of one of the crash.log:

[build b6436b649711] 2023-11-02 11:39:40
Received fatal signal 6 (Aborted) on PID 23624.
Cause:
Signal sent by PID 23624 running under UID 1001.
Crashing thread: BucketSummaryActorThread
Registers:
RIP: [0x00007F0D7E2DA387] gsignal + 55 (libc.so.6 + 0x36387)
RDI: [0x0000000000005C48]
RSI: [0x00000000000059CC]
RBP: [0x0000000000000BE7]
RSP: [0x00007F0CF85F2268]
RAX: [0x0000000000000000]
RBX: [0x0000562A9ADF7598]
RCX: [0xFFFFFFFFFFFFFFFF]
RDX: [0x0000000000000006]
R8: [0x00007F0CF85FF700]
R9: [0x00007F0D7E2F12CD]
R10: [0x0000000000000008]
R11: [0x0000000000000206]
R12: [0x0000562A9AC0E070]
R13: [0x0000562A9AF9CFB0]
R14: [0x00007F0CF85F2420]
R15: [0x00007F0CF806F260]
EFL: [0x0000000000000206]
TRAPNO: [0x0000000000000000]
ERR: [0x0000000000000000]
CSGSFS: [0x0000000000000033]
OLDMASK: [0x0000000000000000]

Regards,

Zijian

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zijian,

every time I have a crash on one Splunk system I open a case to Splunk Support sending them a diag of the server.

Especially when you have so frequent crashes on both two production indexers because the service continuity is in danger: I'd open a case with priority 2 or 1.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...