Monitoring Splunk

Error stopping service Splunkd (1053)

Gilgalidd
Path Finder

Hello,

I receive a strange error when I try to stop splunkd under windows by :

  • splunk.exe stop or restart
  • services.msc > splunkd > stop

    Error stopping service Splunkd (1053): The service did not respond to the stop request in a timely fashion.
    The Splunkd service was forcibly stopped by the Service Control Manager.
    Splunkd: Stopped

Nothing seems to be useful in var/log/splunkd.log

Anyone have an idea?

Thanks.

Tags (3)
1 Solution

Gilgalidd
Path Finder

I duno why but this message has didapear after add a new listening port on 9998, disabled the listening on 9997, restart plunkd (no error) and enabled listening on 9997.

After that, I don't see this error when I restart splunkd.

I mark this topic solved because it's ok for me after that but no root cause and no real fix to apply.

Thanks for your comments.

View solution in original post

0 Karma

markfocella
Explorer

The issue is that the splunk forwarder takes more than 30 seconds to go through a restart. Windows has a 30 second default timeout and if it takes longer than 30 seconds will throw a timeout error.

This can be fixed by adding a setting in the registry and restarting windows.

http://support.threattracksecurity.com/support/solutions/articles/1000071019-error-1053-the-service-...

Gilgalidd
Path Finder

I duno why but this message has didapear after add a new listening port on 9998, disabled the listening on 9997, restart plunkd (no error) and enabled listening on 9997.

After that, I don't see this error when I restart splunkd.

I mark this topic solved because it's ok for me after that but no root cause and no real fix to apply.

Thanks for your comments.

View solution in original post

0 Karma

gpayal18
Explorer

Where did you update 9997 to 9998?

0 Karma

gpayal18
Explorer

In which config file did you update this?

0 Karma

lukejadamec
Super Champion

When I see this error it generally occurs when there is a heavy index load, and my understanding is that splunkd will not stop when it is busy indexing it's buffer - splunkd will stop new data from entering the buffer, and index what is in the buffer before it shuts down. Windows does not really care if splunkd is not ready to shutdown - Windows gives the service a certain amount of time to shutdown, and if it does not shutdown in that amount of time then Windows shuts it down.

0 Karma

Gilgalidd
Path Finder

Ok, but it's apear on an heavy forwarder, without indexing, juste forwarding.

After 3 or 4 successive restarts and no listening ports, buffers should be empty but this messages still here.

It seems to not be the cause.

How to check if all buffers are empty or other processing tasks running ?

How to stop properly splunk ?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!