Splunk Search

Splunk hangs browser doing simple search with ERROR StreamGroup log entry


Here is the log entry from splunkd.log:

12-23-2013 11:47:26.478 -0500 ERROR StreamGroup - Dumping contents of file="/idm/idmt_home/splunk/var/lib/splunk/os/db/hot_v1_228/splunk-autogen-params.dat" txnPerSync=97:
12-23-2013 11:47:26.478 -0500 ERROR StreamGroup - SPLUNK AUTO-GENERATED FILE. DO NOT MODIFY.|129554|1844773|1114686|32866|97|

I've restarted Splunk with no success. I am on version Splunk 6.0 (build 182037)

Any suggestions?


Tags (1)


Another thing that might be pointer to check out, is if you have any events, not parsed correctly in this data.

I would check the klpitest index (in this case) for events with a linecount bigger than 1 (or what ever you expect from your events), and check if i have (a few) events with another timestamp or format in the data. (since this looks like an custom input, custom sourcetype(?) )

At least i found some events that had not been parsed correctly in those indexes reported by this "Stream group" error.

I did not however find any other errors or warnings regarding, parsing errors or what not in splunkd.log, for those who are wondering ...

0 Karma


I was seeing exactly the error as described by @khyoung, except the name of the hot bucket was different in my case (hot_v1_518 instead of hot_v1_1). I am on splunk 5.0.2 with "Splunk App for unix and linux" version 5.01. (I mention this because the OS db is used by this app). It did not hanging my browser, but I happened to be running a tail -f in the background piping to a grep for ERROR and this started showing up after I had stopped splunk, manually re-installed the app, and restarted splunk. (I had to manually re-install the app because someone here accidentally rm'd something in there.)

So, I went searching for this error and found your splunk question and comments, and as no one had any answers -- and I had already tried stopping and starting splunk, I decided to try this (WARNING -- stop splunk first!)

splunk fsck --repair --index os --all

an guess what? After I restarted splunk I did not see this error anymore. See if it works for you.

0 Karma


Is it possible that there's a single line event written into the logs that is extraordinarily long? I recently found that single line events with tens of thousands or hundreds of thousands of characters can hang the browser.

0 Karma


I'm getting this too, and I can't seem to figure it out. Have you guys had any luck yet?

0 Karma


Me too....
I am on version Splunk 6.0.1 and using *NIX

01-13-2014 16:08:34.380 +0900 ERROR StreamGroup - SPLUNK AUTO-GENERATED FILE. DO NOT MODIFY.|134044|1554700|1117670|32830|61|
01-13-2014 16:08:34.380 +0900 ERROR StreamGroup - <<<EOF file="/opt/sp_test/splunk/var/lib/splunk/os/db/hot_v1_1/splunk-autogen-params.dat"
01-13-2014 16:09:04.379 +0900 ERROR StreamGroup - Dumping contents of file="/opt/sp_test/splunk/var/lib/splunk/os/db/hot_v1_1/splunk-autogen-params.dat" txnPerSync=61:

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...