searches that utilize 'cidrmatch' are generating a number of crash logs at the bunny farm today.
[build 123586] 2012-05-07 15:58:43
Received fatal signal 6 (Aborted).
Cause:
Signal sent by PID 22949 running under UID 0.
Crashing thread: Main Thread
Registers:
RIP: [0x00007FCD0F366A75] gsignal + 53 (/lib/libc.so.6)
RDI: [0x00000000000059A5]
RSI: [0x00000000000059A5]
RBP: [0x00007FCD0F47A17A]
RSP: [0x00007FFFCDE9E058]
RAX: [0x0000000000000000]
RBX: [0x00007FFFCDEA179C]
RCX: [0xFFFFFFFFFFFFFFFF]
RDX: [0x0000000000000006]
R8: [0x00007FCD10CB6700]
R9: [0x00007FCD0F47C0D1]
R10: [0x0000000000000008]
R11: [0x0000000000000206]
R12: [0x0000000001195085]
R13: [0x0000000001332AC0]
R14: [0x00007FCD0F47A17A]
R15: [0x0000000000000084]
EFL: [0x0000000000000206]
TRAPNO: [0x0000000000000000]
ERR: [0x0000000000000000]
CSGSFS: [0x0000000000000033]
OLDMASK: [0x0000000000000000]
OS: Linux
Arch: x86-64
Backtrace:
[0x00007FCD0F36A5C0] abort + 384 (/lib/libc.so.6)
[0x00007FCD0F35F941] __assert_fail + 241 (/lib/libc.so.6)
[0x0000000000D13800] _ZN22SPathFunctionEvaluator11outputFieldERK3StrS2_ + 0 (s
plunkd)
[0x0000000000D0EAB4] _ZNK17CidrMatchFunction2goEP16EvaluatorContext + 148 (spl
unkd)
[0x0000000000C8A8E3] _ZNK21FunctionEvaluatorNode8evaluateEP16EvaluatorContext
+ 67 (splunkd)
[0x0000000000C8D346] _ZNK10ORFunction8evaluateEP16EvaluatorContext + 38 (splun
kd)
Linux / sc9-splunk-l2 / 2.6.32-32-generic / #62-Ubuntu SMP Wed Apr 20 21:52:38
UTC 2011 / x86_64
/etc/debian_version: squeeze/sid
glibc version: 2.11.1
glibc release: stable
Threads running: 2
argv: [splunkd search --id=remote_sc9-splunk-security-search_1336431517.68 --max
buckets=0 --ttl=60 --maxout=0 --maxtime=0 --lookups=1 --streaming --outCsv=true
--user=sowings --pro --roles=admin:power:user]
terminating...
Anyone else observing similar crashes with 'cidrmatch' in 4.3.x OR is it just my farm?
(\__/)
(='.'=)
(")_(")
It isn't just you, this is a known issue:
http://docs.splunk.com/Documentation/Splunk/latest/releasenotes/KnownIssues
This is being tracked as SPL-49828. The good news is there is a workaround:
All you need to do is replace:
'cidrmatch(A, B)'
with:
'if(typeof(B, "String"), cidrmatch(A, B), null())'
It isn't just you, this is a known issue:
http://docs.splunk.com/Documentation/Splunk/latest/releasenotes/KnownIssues
This is being tracked as SPL-49828. The good news is there is a workaround:
All you need to do is replace:
'cidrmatch(A, B)'
with:
'if(typeof(B, "String"), cidrmatch(A, B), null())'
thanks jbsplunk, hares to you!!