Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forwarding Search Heads Crash Often Since 4.3 -- Anyone else?

twinspop
Influencer
‎02-01-2012 01:21 PM

Anyone else getting dead splunkds? Unfortunately, the splunkd log isn't giving any useful info. Tips on where else to look? I've got 2 totally separate SHs that are doing this. Both do forwarding duties as well as SH duties. Prior to 4.3 I don't recall ever seeing them crash.

Linux x64

Tags (3)
0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎05-23-2012 01:30 AM

I've seen something that looks similar to this. Are you using LDAP authentication and do you have referrals enabled? It seems to be working properly with this disabled (in this case, referrals are not required).

0 Karma
Reply

twinspop
Influencer
‎05-24-2012 08:22 AM

No LDAP here, nor referrals. The crashes have seemed to stop with 4.3.1 and later.

0 Karma
Reply

mwagstaff
Explorer
‎02-03-2012 07:46 AM

Just to chip in here... I've also seen this on one of my search heads (also Linux x64) since upgrading one of our environments the other day. I couldn't find any obvious causes in splunkd.log, and had a hunt around in Splunk on Splunk to no avail.

I haven't raised a support case yet as it's not a production environment and was only a once-off but if it re-occurs, I'll do so as it would be good to understand what's going on (hopefully without upping all log levels from info to debug).

Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-01-2012 01:35 PM

Is Splunkd dying entirely, or just search processes? It's possible you could be hitting http://splunk-base.splunk.com/answers/37809/halp-consulting-the-summary-dashboard-of-the-search-app-... . But, that issue won't cause the "main" splunkd to die, just search processes.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-01-2012 01:47 PM

Then, nope, wrong answer!

0 Karma
Reply

twinspop
Influencer
‎02-01-2012 01:44 PM

When trying to contact the search head: "The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running." And when I issue a restart: "splunkd somepid was not running." Thanks for heads-up tho. I had noticed that other problem as well!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...