Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About transtrophe
transtrophe
Communicator
Member since:
03-06-2015
06-05-2020
Community Statistics
| Posts | 79 |
| Solutions | 4 |
| Karma Given | 0 |
| Karma Received | 24 |
| Member Since | 03-06-2015 |
Activity Feed
- Got Karma for Re: Is there a method to change the pass4SymmKey value across all the peers in an index cluster and also a search-head cluster to ensure replication within the index cluster and integration of the search-head cluster with an indexer cluster?. 05-25-2022 03:20 AM
- Got Karma for Re: When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:16 PM
- Got Karma for Re: When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:16 PM
- Got Karma for Re: When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:15 PM
- Got Karma for Re: When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:14 PM
- Got Karma for Re: When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:14 PM
- Got Karma for Re: When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:14 PM
- Got Karma for Re: When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:14 PM
- Got Karma for When using deployer to push configuration updates to cluster members, where do the updated config files go?. 10-27-2020 07:13 PM
- Got Karma for What is the correct installation and configuration for the Fire Brigade version 2 app and add-on in an indexer clustering environment?. 06-05-2020 12:47 AM
- Got Karma for Re: What credentials should be used when initializing the deployer when setting up a search head cluster in enterprise 6.2.2?. 06-05-2020 12:47 AM
- Got Karma for What credentials should be used when initializing the deployer when setting up a search head cluster in enterprise 6.2.2?. 06-05-2020 12:47 AM
- Got Karma for How to integrate search head cluster into indexer cluster?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a method to change the pass4SymmKey value across all the peers in an index cluster and also a search-head cluster to ensure replication within the index cluster and integration of the search-head cluster with an indexer cluster?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a method to change the pass4SymmKey value across all the peers in an index cluster and also a search-head cluster to ensure replication within the index cluster and integration of the search-head cluster with an indexer cluster?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a method to change the pass4SymmKey value across all the peers in an index cluster and also a search-head cluster to ensure replication within the index cluster and integration of the search-head cluster with an indexer cluster?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a way to get the current retention and archiving policies that are defined for backups?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a way to get the current retention and archiving policies that are defined for backups?. 06-05-2020 12:47 AM
- Got Karma for What are recommended/effective techniques for troubleshooting replication and search factor failures?. 06-05-2020 12:47 AM
- Got Karma for Should the main index be replicated in an indexer cluster?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 1 |
04-08-2015
04:44 PM
This is my firewall ruleset:
RDP TCP 3389 my.local.host.IP/32
Custom TCP Rule TCP 514 0.0.0.0/0
SSH TCP 22 my.local.host.IP/32
Custom TCP Rule TCP 8191 my.aws.vlan.ip/20
Custom TCP Rule TCP 8089 my.aws.vlan.ip/20
Custom UDP Rule UDP 514 0.0.0.0/0
Custom TCP Rule TCP 9997 - 9999 my.aws.vlan.ip/20
Custom TCP Rule TCP 8000 0.0.0.0/0
Custom TCP Rule TCP 5900 - 5909 my.local.host.IP/32
Custom TCP Rule TCP 5800 0.0.0.0/0
[Actual IPs obfuscated to protect the innocent - lol!]
... View more
04-08-2015
04:38 PM
I increased the size of all the indexers (8 in my index cluster using repFactor = 5) and all of the search-head members of my search-head cluster (3 in my shc using searchFactor = 3) from ti.micro to m3.medium. No change - still getting those dreaded:
Search peer ip-172-31-20-173 has the following message: Too many streaming errors to target=172.31.20.120:9998. Not rolling hot buckets on further errors to this target. (This condition might exist with other targets too. Please check the logs)
Also changed the pass4SymmKey in each server.conf on all 8 indexers and the search-head members. I even did this by leaving the index cluster master with the previous value for pass4SymmKey to make sure that the indexers all got changed correctly. Leaving the master with the previous pass4SymmKey value resulted in the cluster not forming. After verifying that the cluster didn't form, I then made the change of the cluster master's pass4SymmKey to the values on each of the 8 indexers and the cluster then formed. This was the only way I could think of to verify that the pass4SymmKey was fully synchronized across the index cluster.
Really not sure where to take this now. I can certainly provide any splunkd.log records (or any other log) that anyone might suggest (either on on indexer and/or on a search-head member.
... View more
04-08-2015
11:21 AM
Ports are open in my firewall rules. I'm going to check if pumping up the instance type has an impact. Also, a previous reply suggested I check on the pass4symkey coordination within the index cluster and index cluster to search-head cluster. Almost certain I don't have an issue in that regard as I am generally diligent with those kinds of details. But it's easy enough to resynch those keys so I'll just do it.
Won't be getting to this until later this afternoon but will update this thread with the outcomes.
... View more
04-08-2015
09:18 AM
2 Karma
Also executing btool on the indexes configuration with the --debug flag will show which indexes.conf file is used in setting these retention attributes:
./Splunk btool indexes list --debug
This can be redirected to a txt file for additional analysis in a text editor like vim.
... View more
04-08-2015
08:55 AM
For the moment, though, I will mention that I can and do execute successful bundle pushes from the index cluster master to all 8 of my index cluster peers. I also see currently on any search-head on-going log entries in splunkd.log that the instance from which I'm running a tail in splunkd.log is making on-going connections to each of the 8 indexers. However, those are now the ONLY entries appearing in splunkd.log. that doesn't seem normal or expected behavior.
... View more
04-08-2015
08:50 AM
I'll check on this, but it will be later this afternoon. I will likely just change the pass4symkey value in a limited version of server.conf (ie just the pass4symkey element in the clustering stanza) in both the shcluster deployed bundle location and the cluster master bundle location executing the applicable bundle apply to each cluster.
Will update the post when this is completed.
... View more
04-08-2015
08:23 AM
Still stuck in this issue; I.e. no resolution - Splunk Web for a cluster index peer, the cluster master, or any search head cluster member throws on-going error messages about too many streaming errors so no replication. Oddly, my _internal, _audit, and SOS indexes continue to grow in terms of number of events, but trying to use SOS views for example of resource usage of an index cluster peer or search head cluster member still results in the previously mentioned error about no search results available.
Can't really move forward on my project, unfortunately.
... View more
04-07-2015
08:17 PM
OK. I may have discovered the cause of this issue. Looks like I have the inputs.conf file in the cluster master's bundle. Corrected this and this issue is now resolved.
Thanks for kicking and working me, esix_splunk!
... View more
04-07-2015
07:43 PM
I did just now try to change the Settings>General Settings>Server Settings>Index Settings>Default Host Name from the noted value of the cluster master hostname to the instance's hostname and after saving and restarting Splunk from Splunk Web find that it toggles back to the cluster master hostname value.
... View more
04-07-2015
07:35 PM
DMC is running on the cluster master.
All 8 indexers are configured with mode = slave in their respective server.conf files (with the source for that config item in the [clustering] stanza each coming from /opt/splunk/etc/system/local/server.conf. Looking at the Distributed Environment>Indexer Clustering config in each cluster peers Splunk Web also indicates they are peer nodes. And in the cluster master DMC > Setup panel each of the 8 remote instances are flagged as Indexer.
However, I just discovered a problem with these remote instances, the cause of which I cannot determine - all of the remote instances have the same Instance (host) value set as the cluster master. Each of these remote instances does have a correct and unique value for their respective Instance (serverName) and machine name. Not sure at all how the Instance (host) value got set to the value for the cluster master. I can of course easily change this in the Settings > Server Settings > Index Settings panel. Should I do this? (I would think so but want to confirm, especially since I did not make these settings myself but they must have been auto-generated).
... View more
04-07-2015
06:20 PM
I have 8 indexer instances in an indexer cluster with repFactor = 5. When logged into the index cluster master node's DMC, the Overview Panel shows the number of indexers as 5 on 5 machines (left-most panel of Overview) while the right-most panel indicates there are 8 peers searchable and the Distributed Environment>Indexer Clustering panel lists the 8 deployed indexers. Also, when I execute the show cluster-status command on the master, it also lists the 8 indexers in the cluster.
Can anyone provide some clarity on what is behind these mismatches - being a newbie to Splunk I'm reasonably certain it's just my lack of comprehensive understanding on the inner mechanisms of splunkd versus a deployment/operational problem. But if it is an operational problem, what are the likely configuration root-causes so I can remedy this.
In a different posted question I have also provided a set of troubleshooting information collections for another problem I am having with this first deployment of splunk - "too many streaming errors" resulting in hot bucket replication getting shutdown. Still could use big-time help on that issue but wanted to separate this question from the other for community management purposes.
... View more
04-06-2015
12:52 PM
I do spend a lot of time looking over the server.conf. anything in particular you suggest in that regard for possible impacters to this hot bucket replication/too many streaming errors conditions that is occurring in my deployment? I am only forwarding the search head data from _internal and _audit to the indexer layer. I can't really get a handle for why this would be causing a condition of too many streaming errors.
... View more
04-05-2015
05:06 PM
2 Karma
I have a distributed splunk deployment with search-head cluster, indexer cluster and forwarders. Currently, the main index is not replicated across the index cluster peers. Is that recommended (or the inverse, NOT recommended)?
... View more
04-05-2015
03:43 PM
Some more possibly important records:
04-04-2015 04:34:27.934 +0000 INFO TcpOutputProc - Connected to idx=172.31.18.186:9997
04-04-2015 04:34:58.007 +0000 INFO TcpOutputProc - Connected to idx=172.31.20.120:9997
04-04-2015 04:35:28.050 +0000 INFO TcpOutputProc - Connected to idx=172.31.26.200:9997
04-04-2015 04:35:58.089 +0000 INFO TcpOutputProc - Connected to idx=172.31.20.173:9997
04-04-2015 04:36:58.151 +0000 INFO TcpOutputProc - Connected to idx=172.31.20.120:9997
04-04-2015 04:37:47.871 +0000 INFO PipelineComponent - Performing early shutdown tasks
04-04-2015 04:37:47.871 +0000 INFO IndexProcessor - handleSignal : Disabling streaming searches.
04-04-2015 04:37:47.871 +0000 INFO IndexProcessor - request state change from=RUN to=SHUTDOWN_SIGNALED
04-04-2015 04:37:50.847 +0000 WARN CMMasterProxy - Master is down! Make sure pass4SymmKey is matching if master is running.
04-04-2015 04:37:50.847 +0000 ERROR ClusteringMgr - VerifyMultisiteConfig failed Error=failed method=GET path=/services/cluster/master/info/?output_mode=json master=ip-172-31-26-237:
8089 rv=0 actual_response_code=502 expected_response_code=200 status_line=Error connecting: Connection refused error=Connection refused
04-04-2015 04:37:50.847 +0000 ERROR GenerationGrabber - The searchhead is unable to update the peer information. Error = 'Unable to reach master' for master=https://ip-172-31-26-237:
8089.
... View more
04-05-2015
03:40 PM
Also don't understand the meaning and/or implications of this record:
04-04-2015 04:23:12.569 +0000 WARN DistributedPeerManager - Could not delete message id=CLUSTER_REPLICATION_LINK_FAILURE from peer: response_code=500
... View more
04-05-2015
03:38 PM
Some additional troubleshooting info. I have been analyzing the splunkd.log on one of the shc (search-head cluster) members and found the following entries (this is after a long set of records that traces problems that tagged prior to my finally realizing that I had forgotten to configure receiving on the indexer layer):
04-04-2015 03:27:59.122 +0000 INFO TcpOutputProc - Connected to idx=172.31.20.173:9997
04-04-2015 03:28:29.154 +0000 INFO TcpOutputProc - Connected to idx=172.31.26.200:9997
04-04-2015 03:28:59.230 +0000 INFO TcpOutputProc - Connected to idx=172.31.20.120:9997
04-04-2015 03:31:58.502 +0000 INFO TcpOutputProc - Connected to idx=172.31.18.186:9997
04-04-2015 03:32:13.735 +0000 WARN DistributedPeerManagerHeartbeat - Unable to get server info from peer: http://172.31.20.173:8089 due to: Connection refused
I'm not really sure what the root-cause problems are when a "WARN DistributedPeerManagerHeartbeat - Unable to get server info from peer: http://172.31.18.186:8089 due to: Connection refused" occurs.
... View more
04-05-2015
07:38 AM
Also, I am running ALL hosts in an AWS EC2 using the debian-wheezy-amd64-pvm-2015-01-28-ebs AMI run as a t1.micro instance type with storage of 15GB deployed on the shc members and the 4 forwarders (previous post indicated 3 forwarders - I actually have 4; not that this is a likely part of the issue) and 20GB on the index cluster members. Don't know if this is involved as an impact (the t1.micro instance), so wanted to bring it in as a possible factor.
... View more
04-05-2015
07:38 AM
On the search head cluster, when I run SOS from any member, I get the following info message when I execute the search of resource utilization of any monitored resource -
search index=sos sourcetype="ps" host="ip-172-31-23-108" | multikv | eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server") | eval RSZ_MB=RSZ_KB/1024 | eval VSZ_MB=VSZ_KB/1024 | bin _time span=5s | stats first(pctCPU) AS pctCPU, first(RSZ_MB) AS RSZ_MB, first(VSZ_MB) AS VSZ_MB first(type) AS type by PID _time | stats sum(pctCPU) AS pctCPU, sum(RSZ_MB) AS RSZ_MB, sum(VSZ_MB) AS VSZ_MB by type, _time | bin _time span=4h | sistats avg(pctCPU), median(pctCPU), median(RSZ_MB), median(VSZ_MB) by type, _time
over the time range: (earliest indexed event) – 1/1/01 12:00:00.000 AM
did not return any data. Possible solutions are to: relax the primary search criteria
widen the time range of the search
check that the default search indexes for your account include the desired indexes
The following messages were returned by the search subsystem: WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.
Search filters specified using splunk_server/splunk_server_group do not match any search peer.
... View more
04-05-2015
06:29 AM
1 Karma
I am new to Splunk and trying to troubleshoot the "splunk newbies" dreaded "Search peer 'xxx' has the following message: Too many streaming errors to target='target':9997. Not rolling hot buckets on further errors to this target." issue on a distributed deployment built as follows:
Search layer composed of a search head cluster with 3 search heads and the cluster's deployer;
Index layer composed of an indexer cluster with 5 indexers the cluster's master node - cluster is configured using replication factor = 5
Forwarder layer currently deployed with 3 forwarders with a deployment server (not yet doing anything really with these forwarders until I get the issues identified in this post resolved.
I have sos app v 3.2.1 deployed on the shc members (applied successfully using cluster-bundle from the shc deployer) and configured to enable the 2 sos input scripts (sof_sos.sh and ps_sos.sh) on each of the 3 shc members. BTW, after doing this I realized I could and probably will make changes to the /apps/sos/local/inputs.conf on the shc deployer for better, more time efficient configuration management. I also deployed sideview utils v 3.3.2 to the shc members using cluster-bundle, although truth be told I inadvertently deployed sos apps BEFORE sideview utils, although I didn't configure sos before correcting this deployment fopaux (or should we call that foobar - lol).
I also deployed TA-sos v 2.0.5 on the 5 idx-cluster peers using the idx-cluster master node (apply cluster-bundle) and configured each idx-cluster peer to enable the 2 sos input scripts (sof_sos.sh and ps_sos.sh).
On 1 idx-cluster peer I have the following sets of configurations dumped using btool:
From indexes - (only showing configs that are not from the default indexes.conf)
/opt/splunk/etc/slave-apps/_cluster/default/indexes.conf [_audit] stanza
/opt/splunk/etc/slave-apps/_cluster/default/indexes.conf repFactor = auto
/opt/splunk/etc/slave-apps/_cluster/default/indexes.conf [_internal]
/opt/splunk/etc/slave-apps/_cluster/default/indexes.conf repFactor = auto
/opt/splunk/etc/system/default/indexes.conf [default]
/opt/splunk/etc/system/default/indexes.conf repFactor = 0
/opt/splunk/etc/slave-apps/_cluster/default/indexes.conf [main]
/opt/splunk/etc/slave-apps/_cluster/default/indexes.conf repFactor = auto
/opt/splunk/etc/slave-apps/TA-sos/local/indexes.conf [sos]
/opt/splunk/etc/slave-apps/TA-sos/local/indexes.conf coldPath = $SPLUNK_DB/sos/colddb
/opt/splunk/etc/system/default/indexes.conf defaultDatabase = main
/opt/splunk/etc/slave-apps/TA-sos/local/indexes.conf disabled = 0
/opt/splunk/etc/slave-apps/TA-sos/local/indexes.conf frozenTimePeriodInSecs = 2419200
/opt/splunk/etc/slave-apps/TA-sos/local/indexes.conf homePath = $SPLUNK_DB/sos/db
/opt/splunk/etc/slave-apps/TA-sos/local/indexes.conf repFactor = auto
From idx cluster peer's inputs:
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf [script:///opt/splunk/etc/slave-apps/TA-sos/bin/lsof_sos.sh]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf disabled = 0
/opt/splunk/etc/slave-apps/_cluster/local/inputs.conf host = ip-172-31-26-237
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf index = sos
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf interval = 600
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf source = lsof_sos
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf sourcetype = lsof
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf disabled = 0
/opt/splunk/etc/slave-apps/_cluster/local/inputs.conf host = ip-172-31-26-237
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf index = sos
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf interval = 5
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf source = ps_sos
/opt/splunk/etc/slave-apps/TA-sos/local/inputs.conf sourcetype = ps
/opt/splunk/etc/system/default/inputs.conf [splunktcp]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/system/default/inputs.conf acceptFrom = *
/opt/splunk/etc/system/default/inputs.conf connection_host = ip
/opt/splunk/etc/slave-apps/_cluster/local/inputs.conf host = ip-172-31-26-237
/opt/splunk/etc/system/default/inputs.conf index = default
/opt/splunk/etc/system/default/inputs.conf route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
/opt/splunk/etc/slave-apps/_cluster/local/inputs.conf [splunktcp://9997]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/slave-apps/_cluster/local/inputs.conf disabled = 0
/opt/splunk/etc/slave-apps/_cluster/local/inputs.conf host = ip-172-31-26-237
/opt/splunk/etc/system/default/inputs.conf index = default
This is the configuration for ALL the idx cluster peers.
On any given idx cluster peer when I analyze the $SPLUNK_HOME/var/log/splunk/splunkd.log I get the following results (using the indicated log analysis command-line in the provided trace):
root@ip-172-31-26-200:/opt/splunk/var/log/splunk# grep CMStreamingErrorJob splunkd.log* | cut -d' ' -f10,12 | sort |uniq -c | sort -nr
178 srcGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=27EE43F3-BD89-4BC4-9200-298F99B4275A
170 srcGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=5BB335C9-340F-42CD-A5C6-C8269429D10A
169 srcGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=93BAC151-E057-4F37-9D16-C4CAB5A971E3
163 srcGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=37D7692E-5D49-432E-9A6F-89C0C68FACEF
12 srcGuid=37D7692E-5D49-432E-9A6F-89C0C68FACEF failingGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3
12 srcGuid=27EE43F3-BD89-4BC4-9200-298F99B4275A failingGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3
11 srcGuid=5BB335C9-340F-42CD-A5C6-C8269429D10A failingGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3
10 srcGuid=93BAC151-E057-4F37-9D16-C4CAB5A971E3 failingGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3
2 tgtGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=93BAC151-E057-4F37-9D16-C4CAB5A971E3
2 tgtGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=5BB335C9-340F-42CD-A5C6-C8269429D10A
1 tgtGuid=93BAC151-E057-4F37-9D16-C4CAB5A971E3 failingGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3
1 tgtGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=37D7692E-5D49-432E-9A6F-89C0C68FACEF
1 tgtGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3 failingGuid=27EE43F3-BD89-4BC4-9200-298F99B4275A
1 tgtGuid=5BB335C9-340F-42CD-A5C6-C8269429D10A failingGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3
1 tgtGuid=37D7692E-5D49-432E-9A6F-89C0C68FACEF failingGuid=78E65DE9-B82B-4F0A-A383-D0BC1189F9A3
If I watch -n 1 'ls -al' the processing of hot buckets for sos, I get the following as a snap-shot in time:
Every 1.0s: ls -alt Sun Apr 5 13:19:59 2015
total 132
drwx--x--x 3 splunk splunk 4096 Apr 5 13:19 .
drwx------ 47 splunk splunk 4096 Apr 5 13:19 ..
-rw------- 1 splunk splunk 1585 Apr 5 13:19 1428239997-1428239997-1367416106440166490.tsidx
-rw------- 1 splunk splunk 1616 Apr 5 13:19 1428239992-1428239992-1367415778757555421.tsidx
-rw------- 1 splunk splunk 1617 Apr 5 13:19 1428239987-1428239987-1367415450991673577.tsidx
-rw------- 1 splunk splunk 1969 Apr 5 13:19 1428239982-1428239981-1367415123329070425.tsidx
-rw------- 1 splunk splunk 80922 Apr 5 13:19 1428239977-1428237297-1367414798428158871.tsidx
-rw------- 1 splunk splunk 291 Apr 5 13:19 Hosts.data
-rw------- 1 splunk splunk 7 Apr 5 13:19 .rawSize
-rw------- 1 splunk splunk 97 Apr 5 13:19 Sources.data
-rw------- 1 splunk splunk 97 Apr 5 13:19 SourceTypes.data
drwx------ 2 splunk splunk 4096 Apr 5 13:17 rawdata
-rw------- 1 splunk splunk 41 Apr 5 12:34 Strings.data
-rw------- 1 splunk splunk 67 Apr 5 12:34 bucket_info.csv
I've done some minor poking about using ipTraf, iotop, netstat, tried successfully establishing tcp connections from each of the shc members to each of the idx cluster peers using netcat to port 9997.
I really don't know how to go forward on this troubleshootin,g but wanted to give everything I've done so all could hopefully zero in on whatever it is I am missing here. I haven't tried yet to add additional indexers to the cluster - I was thinking about adding 3 more to make a repFactor deployment of 8 / 5 (8 peers over repFactor = 5), but think I'm going to wait on this until I get a solid operating condition on the current deployment (want to control the dependent variables in this little exercise/experiment).
Thanks in advance to any and all that take the time to read my short summary of the situation - lol!
... View more
04-05-2015
05:17 AM
1 Karma
I got the issues I brought up in this thread resolved but that resolution has morphed into another set of "show stopper" issues: replication bucket job failures. I am going to open that into its own thread, though, for orderly community board posting etiquette.
... View more
04-03-2015
03:16 PM
I did have a previous post - "How to get search head cluster members to forward internal data to indexer cluster? - but don't think it is working correctly - yet.
I am a bit confused by one item in the "Best practice: Forward search head data to the indexer layer (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Forwardsearchheaddata) documentation step 1. which states:
Make sure that all necessary indexes exist on the indexers. For example, the S.o.S app uses a scripted input that puts data into a custom index. If you install S.o.S on the search head, you need to also install the S.o.S Add-on on the indexers, to provide the indexers with the necessary index settings for the data the app generates. On the other hand, since _audit and _internal exist on indexers as well as search heads, you do not need to create separate versions of those indexes to hold the corresponding search head data.
Now I do have S.O.S. configured (and running) on each of my search head cluster members, so do I also need to have S.O.S. installed on the indexers if what I want to have pushed down to the indexer layer from the search head is the _audit and _internal data?
On the search head cluster member's outputs.conf (they have the same outputs.conf) I have the following in the
[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = true
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
useACK = false
blockWarnThreshold = 100
sslQuietShutdown = false
defaultGroup = transtrophe_search_peers
[syslog]
type = udp
priority = <13>
dropEventsOnQueueFull = -1
maxEventSize = 1024
[indexAndForward]
index = false
[tcpout:transtrophe_search_peers]
server=ip-172-31-20-173:9997,ip-172-31-18-186:9997,ip-172-31-22-253:9997,ip-172-31-26-200:9997,ip-172-31-20-120:9997
autoLB = true
... View more
04-02-2015
07:35 PM
Problem resolved; forgot to configure receiving port in the inputs.conf on my index cluster members. Did this via a cluster-bundle application from the master node. All the queue blocking dissipated in about 15 seconds.
I have run into a new issue, however, but will open that up in a new question thread -
How to identify root cause and resolve "Search peer has the following message: Too many streaming errors to target=. Not rolling hot buckets on further errors to this target. (This condition might exist with other targets too. Please check the logs)?"
... View more
04-01-2015
08:39 PM
Well, I do have firewall rules for inbound connections to ports 8089, 8191 and 9997 for the subnet that the shcluster members, index cluster members and forwarders (as well as the shcluster deployer and forwarders' deployment server). Here is the result just now of doing a nc -vv from the shcluster captain to one of the index cluster members over port 9997:
root@ip-172-31-17-5:/home/admin# nc -vv ip-172-31-18-186 9997
ip-172-31-18-186.ec2.internal [172.31.18.186] 9997 (?) open
?_rawN?6?bm?wV
_meta_subsecond::.243576_time
1427945390
__s2s_bid%37D7692E-5D49-432E-9A6F-89C0C68FACEF
__s2s_rtype
eChallengeMetaData:Hostip-172-31-18-186_raw
It looks like there is a challenge that is no resolving which opens the following question for me: Does there need to be coordination of the symmetrical secret used by the shcluster members and the index cluster members? I know that when using the deployer with the shcluster members this is the case, as well as for the master node and index cluster peers. Didn't see anything in the documentation that called for this pass4symmkey coordination when implementing forwarding from the shcluster members to the index layer of a distributed deployment.
... View more
04-01-2015
07:47 PM
Here is a sample of metrics.log records showing the connection trys and fails - this is from the shcluster captain with the destinations being my index cluster peers. I am observing here that the dest port is 9997 (the replication port) as specified in the outputs.conf [tcpout:transtrophe_search_peers] stanza while the source port of the captain (all the shcluster members actually) = 8089 (the uri mgmt port).
04-02-2015 02:36:20.723 +0000 INFO StatusMgr - destHost=ip-172-31-22-253, destIp=172.31.22.253, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
04-02-2015 02:36:20.724 +0000 INFO StatusMgr - destHost=ip-172-31-22-253, destIp=172.31.22.253, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
04-02-2015 02:36:20.725 +0000 INFO StatusMgr - destHost=ip-172-31-20-120, destIp=172.31.20.120, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
04-02-2015 02:36:20.726 +0000 INFO StatusMgr - destHost=ip-172-31-20-120, destIp=172.31.20.120, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
... View more
04-01-2015
07:35 PM
Also, I was just looking at the metrics.log on one of the shcluster members for all the blocked entries and based on those records adjusted the size of the blocked queues to be about 15% larger then the noted largest size. Then, after making these changes, I did a rolling-restart from the captain.
Checking metrics.log I am observing the following log record on the captain and 1 of the shcluster members:
04-02-2015 02:30:07.252 +0000 INFO Metrics - group=queue, name=indexqueue, blocked=true, max_size_kb=2048, current_size_kb=2047, current_size=766, largest_size=766, smallest_size=766
Not sure why this indexqueue would be blocking when the max_size_kb is significantly larger than the current_size
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
