Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarding Search Heads Crash Often Since 4.3 -- Anyone else?

twinspop
Influencer
‎02-01-2012 01:21 PM

Anyone else getting dead splunkds? Unfortunately, the splunkd log isn't giving any useful info. Tips on where else to look? I've got 2 totally separate SHs that are doing this. Both do forwarding duties as well as SH duties. Prior to 4.3 I don't recall ever seeing them crash.

Linux x64

Tags (3)
0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎05-23-2012 01:30 AM

I've seen something that looks similar to this. Are you using LDAP authentication and do you have referrals enabled? It seems to be working properly with this disabled (in this case, referrals are not required).

0 Karma
Reply

twinspop
Influencer
‎05-24-2012 08:22 AM

No LDAP here, nor referrals. The crashes have seemed to stop with 4.3.1 and later.

0 Karma
Reply

mwagstaff
Explorer
‎02-03-2012 07:46 AM

Just to chip in here... I've also seen this on one of my search heads (also Linux x64) since upgrading one of our environments the other day. I couldn't find any obvious causes in splunkd.log, and had a hunt around in Splunk on Splunk to no avail.

I haven't raised a support case yet as it's not a production environment and was only a once-off but if it re-occurs, I'll do so as it would be good to understand what's going on (hopefully without upping all log levels from info to debug).

Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-01-2012 01:35 PM

Is Splunkd dying entirely, or just search processes? It's possible you could be hitting http://splunk-base.splunk.com/answers/37809/halp-consulting-the-summary-dashboard-of-the-search-app-... . But, that issue won't cause the "main" splunkd to die, just search processes.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-01-2012 01:47 PM

Then, nope, wrong answer!

0 Karma
Reply

twinspop
Influencer
‎02-01-2012 01:44 PM

When trying to contact the search head: "The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running." And when I issue a restart: "splunkd somepid was not running." Thanks for heads-up tho. I had noticed that other problem as well!

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...