Solved: Re: How to solve: ERROR StreamGroup - Dumping cont...

rune_hellem · ‎02-11-2014

Using Splunk in a Windows environment, search head and indexer on Win 2012, while the rest of the servers being indexed are mostly Win 2008 R2.

Today I got to see a lot of the following error messages in the _internal-index

02-11-2014 21:25:58.254 +0100 ERROR StreamGroup - <<<EOF file="D:\Splunk\var\lib\splunk\klpitest\db\hot_v1_140\splunk-autogen-params.dat"

02-11-2014 21:25:58.254 +0100 ERROR StreamGroup - Dumping contents of file="D:\Splunk\var\lib\splunk\klpitest\db\hot_v1_140\splunk-autogen-params.dat" txnPerSync=77:

The errors are logged to splunkd.log on the indexer.

Not really sure what to do with this right now, or if I need to do anything at all.

bosburn_splunk · ‎03-05-2014

Okay, I did some quick checking - I've ran across this before. Those messages are are benign, and will be addressed in a later update.

It means that our tsidx buffer has been shrunk a bit too small. The message also means that we’ve increased that size to a reasonable level. There are no known adverse effects stemming from this message

View solution in original post

lmyrefelt · ‎07-18-2014

Another thing that might be pointer to check out, is if you have any events, not parsed correctly in this data.

I would check the klpitest index (in this case) for events with a linecount bigger than 1 (or what ever you expect from your events), and check if i have (a few) events with another timestamp or format in the data. (since this looks like an custom input, custom sourcetype(?) )

At least i found some events that had not been parsed correctly in those indexes reported by this "Stream group" error.

I did not however find any other errors or warnings regarding, parsing errors or what not in splunkd.log, for those who are wondering ...

rune_hellem · ‎07-29-2014

Did a search now and found no reported errors available. Now running Splunk 6.1.1 build 207789, so as mentioned in the first answer I'm guessing that it has been fixed after I have updated to 6.1.1

rune_hellem · ‎03-05-2014

Yes, the servers are VMWare-servers

Splunk 6.0.1 (build 189883)

bosburn_splunk · ‎03-05-2014

Okay, I did some quick checking - I've ran across this before. Those messages are are benign, and will be addressed in a later update.

It means that our tsidx buffer has been shrunk a bit too small. The message also means that we’ve increased that size to a reasonable level. There are no known adverse effects stemming from this message

rune_hellem · ‎03-05-2014

So, just to check if I get this...the error can safely be ignored?

jonathan_cooper · ‎03-05-2014

I'm curious though, in our situation, I will see about 9-10 of these messages then the indexer will no longer be able to talk to the SH. We will get replication issues and have to restart the indexer and/or the SH. Is there any correlation there? Perhaps the symptom is just a coincidence?

bosburn_splunk · ‎03-05-2014

What version of Splunk are you using?

jonathan_cooper · ‎03-05-2014

I have the same scenario except on a linux indexer. Still can't find any additional information about these errors. You wouldn't happen to be running this on a VM would you?

How to solve: ERROR StreamGroup - Dumping contents of file="...splunk-autogen-params.dat" txnPerSync=77:

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to solve: ERROR StreamGroup - Dumping contents of file="...splunk-autogen-params.dat" txnPerSync=77:

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!