Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Session lock files

mslvrstn
Communicator
‎04-07-2011 09:06 PM

All of my indexers have thousands of session lock files similar to

-rw-------  1 root   root         0 Jan 27 16:38 session-fa9570368b47a81458a696720fb657239dc0a60c.lock

ls /opt/splunk/var/run/splunk/session*.lock | wc -l
20379

which go back for months.

I don't know that there is anything necessarily wrong with this, but it doesn't feel right. Is this common? If it isn't, what kind of misbehavior should we be on the lookout for?

Tags (2)
Reply

johnhsu
Observer
‎10-04-2013 10:45 AM

Remove tons of session files
ll | grep session | awk '{print "rm "$8" "}' | csh

Note:
"$8" -- column 8 of ll comand

Thanks
Sincerely
John Hsu

0 Karma
Reply

gareth
Splunk Employee
Splunk Employee
‎04-09-2011 01:25 AM

Well even with that traffic, the lock files shouldn't be months old; something odd there.

0 Karma
Reply

mslvrstn
Communicator
‎04-08-2011 02:18 AM

Firstly, thanks for the edit, dwaddle. I see what you did with the indent and I will do that from now on.

Gareth, it's 4.1.6 on Linux. Your question about web_service log was right on target. At first I thought not, since these are indexers and don't get much http traffic, although splunkweb is enabled for convenience. Then I looked at the logs and saw tons of web vulnerability assessment traffic. Understanding that those session files correspond to splunkweb traffic was the key. Thanks!

0 Karma
Reply

gareth
Splunk Employee
Splunk Employee
‎04-07-2011 09:17 PM

No, that shouldn't happen. Extraneous session and lock files should be purged every five minutes or so.

Which version of Splunk are you running (and on what platform)? Are there any related error messages in the web_service.log?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...