Splunk Search

crash log on searches using cidrmatch.

Chubbybunny
Splunk Employee
Splunk Employee

searches that utilize 'cidrmatch' are generating a number of crash logs at the bunny farm today.

[build 123586] 2012-05-07 15:58:43 
Received fatal signal 6 (Aborted). 
Cause: 
Signal sent by PID 22949 running under UID 0. 
Crashing thread: Main Thread 
Registers: 
RIP: [0x00007FCD0F366A75] gsignal + 53 (/lib/libc.so.6) 
RDI: [0x00000000000059A5] 
RSI: [0x00000000000059A5] 
RBP: [0x00007FCD0F47A17A] 
RSP: [0x00007FFFCDE9E058] 
RAX: [0x0000000000000000] 
RBX: [0x00007FFFCDEA179C] 
RCX: [0xFFFFFFFFFFFFFFFF] 
RDX: [0x0000000000000006] 
R8: [0x00007FCD10CB6700] 
R9: [0x00007FCD0F47C0D1] 
R10: [0x0000000000000008] 
R11: [0x0000000000000206] 
R12: [0x0000000001195085] 
R13: [0x0000000001332AC0] 
R14: [0x00007FCD0F47A17A] 
R15: [0x0000000000000084] 
EFL: [0x0000000000000206] 
TRAPNO: [0x0000000000000000] 
ERR: [0x0000000000000000] 
CSGSFS: [0x0000000000000033] 
OLDMASK: [0x0000000000000000] 

OS: Linux 
Arch: x86-64 

Backtrace: 
[0x00007FCD0F36A5C0] abort + 384 (/lib/libc.so.6) 
[0x00007FCD0F35F941] __assert_fail + 241 (/lib/libc.so.6) 
[0x0000000000D13800] _ZN22SPathFunctionEvaluator11outputFieldERK3StrS2_ + 0 (s 
plunkd) 
[0x0000000000D0EAB4] _ZNK17CidrMatchFunction2goEP16EvaluatorContext + 148 (spl 
unkd) 
[0x0000000000C8A8E3] _ZNK21FunctionEvaluatorNode8evaluateEP16EvaluatorContext 
+ 67 (splunkd) 
[0x0000000000C8D346] _ZNK10ORFunction8evaluateEP16EvaluatorContext + 38 (splun 
kd) 
Linux / sc9-splunk-l2 / 2.6.32-32-generic / #62-Ubuntu SMP Wed Apr 20 21:52:38 
UTC 2011 / x86_64 
/etc/debian_version: squeeze/sid 
glibc version: 2.11.1 
glibc release: stable 
Threads running: 2 
argv: [splunkd search --id=remote_sc9-splunk-security-search_1336431517.68 --max 
buckets=0 --ttl=60 --maxout=0 --maxtime=0 --lookups=1 --streaming --outCsv=true 
--user=sowings --pro --roles=admin:power:user] 
terminating...

Anyone else observing similar crashes with 'cidrmatch' in 4.3.x OR is it just my farm?

(\__/)
(='.'=)
(")_(")
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

It isn't just you, this is a known issue:

http://docs.splunk.com/Documentation/Splunk/latest/releasenotes/KnownIssues

This is being tracked as SPL-49828. The good news is there is a workaround:

All you need to do is replace:

'cidrmatch(A, B)'

with:

'if(typeof(B, "String"), cidrmatch(A, B), null())'

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

It isn't just you, this is a known issue:

http://docs.splunk.com/Documentation/Splunk/latest/releasenotes/KnownIssues

This is being tracked as SPL-49828. The good news is there is a workaround:

All you need to do is replace:

'cidrmatch(A, B)'

with:

'if(typeof(B, "String"), cidrmatch(A, B), null())'

Chubbybunny
Splunk Employee
Splunk Employee

thanks jbsplunk, hares to you!!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...