Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexer cluster - splunk offline taking excessive time

mike_k
Path Finder
‎06-16-2021 10:46 PM

I am in the process of doing some maintenance on my indexer cluster (1 cluster master, 2 peer indexers).

I  put my cluster master in maintenance-mode then went onto the first indexer and placed it in offline mode. Splunk responded on the indexer by indicating "reassigning primaries ... this may take a few minutes". This process however appears to be taking quite a while (currently 3 hours).

If i look at the splunkd log running on this indexer, i see the following:

  • A couple of the following error at the start:
    • ERROR BucketMover - aborting move because could not remove existing ....... (reason='Access is denied.')
  • At around the time i put the indexer offline the above ERROR messages stopped and i can see the indexer shutting down and finishing with:
    • INFO HotDBManager - closing hot mgr for idx=main
    • INFO IndexProcessor - request state change from=SHUTDOWN_IN_PROGRESS to=SHUTDOWN_COMPLETE
    • IndexProcessor - shutting down: end
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_LastIndexerLevel"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_AWSMetering"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpInput2"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_RemoteQueueInputWorker"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_RemoteQueue"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_RemoteFileSystem"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_LocalFileSystem"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_SearchDispatch"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_LoadLDAPUsers"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_MetricsManager"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_Pipeline"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_Queue"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_CallbackRunner"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_HttpClient"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_DmcProxyHttpClient"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_Duo2FAHttpClient"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_ApplicationLicenseChecker"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_S3ConnectionPoolManager"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_TelemetryMetricBuffer"
    • INFO ShutdownHandler - shutting down level "ShutdownLevel_ConfLiveUpdateProcessor"
    • INFO ShutdownHandler - Shutdown complete in 193.3 seconds
    • INFO loader - All pipelines finished.

Note: have only put in what appear to be significant lines at the end of the splunkd.log file.

to my mind this appears as though the Indexer has successfully transitioned to offline, however the cmd prompt still appears to be processing (still printing dots to the screen). would be good to get a second opinion as to whether I terminate the command prompt with the "splunk offline" command running.

0 Karma
Reply

mike_k
Path Finder
‎06-16-2021 11:40 PM

Thanks for that reply.

At the end of the day, i figured that the log indicated that it had finished. So i terminated the splunkd process and shutdown/rebooted the server (which I had to do anyway as part of the maintenance activity i was doing).

It appears to have come back up (just looking at it now), joined the cluster. Search and replication factor have gone back to green. It all appears to be working again. but quite weird.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-16-2021 11:31 PM

This is quite interesting if it still print those dots event logs said that it has shutdown already.

The first message "Access denies" could means that there are some files which have wrong ownership. You should do chow -R <splunk>:<splunk> for $SPLUNK_HOME and all data dirs which you portably have somewhere else.

I suppose that you are running it on linux. So do "ps -fe" and check are there still any splunk based processes and who owns those.

r. Ismo

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...