×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Ledion_Bitincka
Splunk Employee
Member since: ‎01-15-2010
‎06-05-2020
Community Statistics
Posts 313
Solutions 72
Karma Given 53
Karma Received 252
Member Since ‎01-15-2010
Activity Feed
Topics I've Started
View All

Re: Hunk export bug

by Splunk Employee in Reporting
‎11-21-2013 06:21 PM
2 Karma
‎11-21-2013 06:21 PM
2 Karma
The export button should be disabled while the search is running with a hover message "Export - You can only export results for completed jobs". If the export button is enabled then this is most likely a browser compatibility related issue. ... View more

Re: Hunk and Cloudera CDH4.4 (hdfs and mapred V1) ...

by Splunk Employee in All Apps and Add-ons
‎11-20-2013 10:41 AM
‎11-20-2013 10:41 AM
Thomas, a) you don't need to run Splunk as a Hadoop super user (hdfs or mapred) in order to access HDFS and/or submit MapReduce jobs. So, as long as the Splunk user has : read permission to the data files write permission to the vix.splunk.home.hdfs (HDFS path) allowed to submit MapReduce jobs you'll be fine b) vix.splunk.home.datanode - is a path in the TaskTracker/DataNode local fs, this path does not need to exist in HDFS. The local fs path needs to be writable to the mapred local user. We default this path to /tmp/splunk/$SPLUNK_SERVER_NAME/ because generally /tmp/ is writable by everyone. btw feel free to reach out to me directly over email so we can resolve your issues faster ledion at splunk dot com ... View more

Re: Hunk and Cloudera CDH4.4 (hdfs and mapred V1) ...

by Splunk Employee in All Apps and Add-ons
‎11-19-2013 10:14 AM
1 Karma
‎11-19-2013 10:14 AM
1 Karma
Thomas, Problem 1 It seems like this is not an issue anymore but let me explain, "vix.env.MAPREDUCE_USER" is only required if the user that Splunk is running as does not have permissions to interact with HDFS and submit MR jobs. When this field is specified the user must exist in the server running Splunk and the user that runs Splunk must have the ability to sudo as that user Problem 2 First, I'd recommend that you assign a different sourcetype to the data rather than work with the default preprocess-gzip - you can assign a sourcetype and specify extractions based on source too, e.g. props.conf # ... means recursively assign the sourcetype to the files under this dir [source::/path/to/some/dir/...] sourcetype = foobar EXTRACT-foo = .... The .avro message is a WARN, not an error, and it is expected - as in the default config we ship a record reader that can read avro files. The root cause of problem 2 is indicated by the trace you provided 2013-11-19 11:33:15,845 WARN org.apache.hadoop.mapred.Child: Error running child java.io.IOException: Permission denied at java.io.UnixFileSystem.createFileExclusively(Native Method) at java.io.File.createNewFile(File.java:900) at com.splunk.mr.SetupCommandHandler.setupSplunk(SetupCommandHandler.java:167) at com.splunk.mr.SplunkMR$SplunkSearchMapper.ensureSplunkdEnv(SplunkMR.java:599 This trace indicates that the mapred user on the TaskTracker does not have permission to write to the directory where we copy the Splunk package - the path defaults to vix.splunk.home.datanode = /tmp/splunk/$SPLUNK_SERVER_NAME/ Can you please check to ensure that /tmp/ is writable (on TaskTrackers) and who owns /tmp/splunk if that dir is present? ... View more

Re: EMR issues, MapReduce job killed

by Splunk Employee in Splunk Search
‎11-14-2013 09:21 PM
1 Karma
‎11-14-2013 09:21 PM
1 Karma
This issue is caused by a mechanism that Hunk has in place to reduce the runaway jobs - ie MapReduce jobs which keep running even though the client is not interested in the results. Hunk solves this problem by having the Hunk server heartbeat in a specific location in the file system (hdfs/maprf/s3n ...) and the map tasks check the heartbeat to ensure that the Hunk search is still running. However, this relies on the filesystem rename operations to happen relatively quickly (<1s)- in some filesystems, like s3n, the renames operations take a much longer time, when this time exceeds the missed heartbeat threshold the MapReduce job commits suicide and you see the above log message. The runway job logic can be completely disabled by setting the following variable in the provider vix.splunk.heartbeat = 0 or you can tinker with the default heartbeat interval (in ms) and threshold (in missed heartbeats) by setting/updating vix.splunk.heartbeat.threshold = 60 vix.splunk.heartbeat.interval = 1000 Finally, it might be a good idea to switch to using s3 rather than s3n, according to this article s3 offers efficient implementation of renames ... View more

EMR issues, MapReduce job killed

by Splunk Employee in Splunk Search
‎11-14-2013 07:20 PM
‎11-14-2013 07:20 PM
I'm running into an issue with Hunk searches that spawn a MapReduce job in my EMR cluster. The MR job seems to be killed after some time, even though no user issued a kill command to the job - so somehow it seems like Hunk is killing the job. Digging through the task logs I noticed the following interesting line INFO com.splunk.mr.SplunkMR$SplunkBaseMapper (main): No heart beat received from Splunk, killing the MR job id=job_201310150205_0001 ... View more

Re: Hunk field extractor issues

by Splunk Employee in All Apps and Add-ons
‎11-14-2013 04:08 PM
1 Karma
‎11-14-2013 04:08 PM
1 Karma
The solution here would be to use props.conf to assign a sourcetype to the data (that's of the same or similar format) based on some source pattern, for example: # assign all files under this dir sourcetype=foobar [source::/path/to/data/...] sourcetype = foobar # assign all files named foobarbaz.log* sourcetype=foobarbaz [source::.../foobarbaz.log*] sourcetype = foobarbaz Once this is done, you can then key field extractions off of the sourcetype ... View more

Re: Hunk search problem: Cannot initialize Cluster...

by Splunk Employee in Splunk Search
‎10-16-2013 12:00 PM
1 Karma
‎10-16-2013 12:00 PM
1 Karma
This issue is caused by the Hadoop client libraries being incompatible with the Hadoop version that the cluster is running. In my case above I was using CDH4.3.1 libraries to talk to CDH4.3.0. The problem went away when using the same client library version as the cluster. To check for compatibility I would recommend running the following commands: $HADOOP_HOME/bin/hadoop fs -ls hdfs://namenode:ipc_port/ $HADOOP_HOME/bin/hadoop jobs -jt jobtracker:ipc_port -list all ... View more

Hunk search problem: Cannot initialize Cluster.

by Splunk Employee in Splunk Search
‎10-16-2013 11:24 AM
‎10-16-2013 11:24 AM
I've configured Hunk to run searches against my cluster however I keep running into this issue when I try to execute a reporting search (stats, top, chart etc) - streaming searches seem to be working just fine INFO ERP.hadoop - Cluster - Failed to use org.apache.hadoop.mapred.LocalClientProtocolProvider due to error: Invalid "mapreduce.jobtracker.address" configuration value for LocalJobRunner : "xxxx.splunk.com:8021" ERROR ERP.hadoop - UserGroupInformation - PriviledgedActionException as:lbitincka (auth:SIMPLE) cause:java.io.IOException: Cannot initialize Cluster. Please check your configuration for mapreduce.framework.name and the correspond server addresses. ERROR ERP.hadoop - AsyncMRJob - Cannot initialize Cluster. Please check your configuration for mapreduce.framework.name and the correspond server addresses. ERROR ERP.hadoop - java.io.IOException: Cannot initialize Cluster. Please check your configuration for mapreduce.framework.name and the correspond server addresses. ERROR ERP.hadoop - at org.apache.hadoop.mapreduce.Cluster.initialize(Cluster.java:121) ERROR ERP.hadoop - at org.apache.hadoop.mapreduce.Cluster.<init>(Cluster.java:83) ERROR ERP.hadoop - at org.apache.hadoop.mapreduce.Cluster.<init>(Cluster.java:76) ERROR ERP.hadoop - at org.apache.hadoop.mapreduce.Job$10.run(Job.java:1239) ERROR ERP.hadoop - at org.apache.hadoop.mapreduce.Job$10.run(Job.java:1235) ERROR ERP.hadoop - at java.security.AccessController.doPrivileged(Native Method) ERROR ERP.hadoop - at javax.security.auth.Subject.doAs(Subject.java:415) ERROR ERP.hadoop - at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408) ERROR ERP.hadoop - at org.apache.hadoop.mapreduce.Job.connect(Job.java:1234) ERROR ERP.hadoop - at org.apache.hadoop.mapreduce.Job.submit(Job.java:1263) ERROR ERP.hadoop - at com.splunk.mr.AsyncMRJob.run(AsyncMRJob.java:131) ERROR ERP.hadoop - at java.lang.Thread.run(Thread.java:724) ... View more

Re: Issue reading snappy files using Hunk

by Splunk Employee in All Apps and Add-ons
‎10-16-2013 11:18 AM
‎10-16-2013 11:18 AM
This error is different from the original error (regarding the native libraries not being found). In this case we're not finding the SnappyCodec java class ERROR ERP.EMR - Caused by: java.lang.ClassNotFoundException: ERROR ERP.EMR - org.apache.hadoop.io.compress.SnappyCodec This is most likely caused by the SnappyCodec not being present in one of the classpath jars. You can verify that using the following command: $HADOOP_HOME/bin/hadoop classpath | sed 's/:/\n/g' | grep '.jar$' | xargs -n1 jar -J-Xmx512m -tf | grep Snappy If snappy is present you should see the following output: org/apache/hadoop/io/compress/SnappyCodec.class org/apache/hadoop/io/compress/snappy/LoadSnappy.class org/apache/hadoop/io/compress/snappy/SnappyCompressor.class org/apache/hadoop/io/compress/snappy/SnappyDecompressor.class ... View more

Re: Issue reading snappy files using Hunk

by Splunk Employee in All Apps and Add-ons
‎10-11-2013 11:46 AM
‎10-11-2013 11:46 AM
Try installing g++ using the following command and try to build snappy again sudo yum install gcc-c++ ... View more

Re: Issue reading snappy files using Hunk

by Splunk Employee in All Apps and Add-ons
‎10-10-2013 02:46 PM
2 Karma
‎10-10-2013 02:46 PM
2 Karma
In order to provide quick previews, Hunk processes a few file splits in the search head. To process .snappy compressed files you'd need to have the appropriate snappy libraries set up in the search head (in addition to having it already setup in Hadoop). To set up snappy in the search head follow these steps: download snappy follow the steps to build snappy copy libsnappy.so (and associated symlinks) to $HADOOP_HOME/lib/native/<arch>/ Here's how the content of that dir look for me after adding snappy [lbitincka@ronnie hadoop]$ ls -lah lib/native/Linux-amd64-64/ total 1.3M drwxr-xr-x 2 lbitincka 1125 4.0K Oct 10 14:42 . drwxr-xr-x 3 lbitincka 1125 4.0K Aug 19 18:33 .. -rw-r--r-- 1 lbitincka 1125 424K Aug 19 18:29 libhadoop.a -rw-r--r-- 1 lbitincka 1125 1004 Aug 19 18:29 libhadoop.la -rw-r--r-- 1 lbitincka 1125 227K Aug 19 18:29 libhadoop.so -rw-r--r-- 1 lbitincka 1125 227K Aug 19 18:29 libhadoop.so.1 -rw-r--r-- 1 lbitincka 1125 227K Aug 19 18:29 libhadoop.so.1.0.0 lrwxrwxrwx 1 lbitincka 1125 18 Oct 10 14:42 libsnappy.so -> libsnappy.so.1.1.4 lrwxrwxrwx 1 lbitincka 1125 18 Oct 10 14:42 libsnappy.so.1 -> libsnappy.so.1.1.4 -rwxr-xr-x 1 lbitincka 1125 126K Oct 10 14:25 libsnappy.so.1.1.4 Also, when running searches against .snappy data you should also notice log lines like these in search.log 10-10-2013 14:26:03.736 WARN ERP.hunk - LoadSnappy - Snappy native library is available 10-10-2013 14:26:03.737 INFO ERP.hunk - NativeCodeLoader - Loaded the native-hadoop library 10-10-2013 14:26:03.737 INFO ERP.hunk - LoadSnappy - Snappy native library loaded 10-10-2013 14:26:03.744 INFO ERP.hunk - CodecPool - Got brand-new decompressor ... View more

Issue reading snappy files using Hunk

by Splunk Employee in All Apps and Add-ons
‎10-10-2013 02:37 PM
‎10-10-2013 02:37 PM
I'm seeing the following exception in search.log (in the Hunk search head) when I have snappy compressed (.snappy) files in my virtual index directory SplunkMR$SearchHandler$1 - native snappy library not available java.lang.RuntimeException: native snappy library not available at org.apache.hadoop.io.compress.SnappyCodec.getDecompressorType(SnappyCodec.java:189) at org.apache.hadoop.io.compress.CodecPool.getDecompressor(CodecPool.java:125) at org.apache.hadoop.mapreduce.lib.input.LineRecordReader.initialize(LineRecordReader.java:78) at com.splunk.mr.input.SplunkLineRecordReader.vixInitialize(SplunkLineRecordReader.java:18) at com.splunk.mr.input.BaseSplunkRecordReader.initialize(BaseSplunkRecordReader.java:49) at com.splunk.mr.SplunkMR$SplunkBaseMapper.stream(SplunkMR.java:512) at com.splunk.mr.SplunkMR$SearchHandler.streamData(SplunkMR.java:1012) at com.splunk.mr.SplunkMR$SearchHandler$1.accept(SplunkMR.java:1024) at com.splunk.mr.SplunkMR$SearchHandler$1.accept(SplunkMR.java:1021) at com.splunk.mr.input.VirtualIndex$VIXPathSpecifier.addStatus(VirtualIndex.java:185) at com.splunk.mr.input.VirtualIndex$VIXPathSpecifier.listStatus(VirtualIndex.java:216) at com.splunk.mr.input.VirtualIndex.listStatus(VirtualIndex.java:553) at com.splunk.mr.input.SplunkInputFormat.acceptFiles(SplunkInputFormat.java:181) at com.splunk.mr.SplunkMR$SearchHandler.streamData(SplunkMR.java:1037) at com.splunk.mr.SplunkMR$SearchHandler.executeImpl(SplunkMR.java:1166) at com.splunk.mr.SplunkMR$SearchHandler.execute(SplunkMR.java:1085) at com.splunk.mr.SplunkMR.runImpl(SplunkMR.java:1380) at com.splunk.mr.SplunkMR.run(SplunkMR.java:1222) at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:65) at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:79) at com.splunk.mr.SplunkMR.main(SplunkMR.java:1392) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.hadoop.util.RunJar.main(RunJar.java:160) ... View more

Re: Exception when running a search in Hunk

by Splunk Employee in Splunk Search
‎10-06-2013 10:41 PM
2 Karma
‎10-06-2013 10:41 PM
2 Karma
This error is caused by older versions of Hadoop distributions shipping with a very old version of Jackson JSON parser. This issue was tracked via HADOOP-7470 and fixed in Hadoop 1.0.1. Therefore if you're using a Hadoop version older than 1.0.1 you are very likely to run into this problem as well. Hadoop 1.0.1 shipped on Feb 2012, and we strongly recommend that you upgrade your deployment to a more recent version. If upgrading is not an option, then you can fix this issue by following these steps: download jackson-core-asl-1.8.8.jar and jackson-mapper-asl-1.8.8.jar place them in a directory in the Hunk server, e.g. /opt/jackson/jars/ add the following config setting to the provider in Hunk (Settings >> Virtual Indexes) or by editing indexes.conf vix.splunk.jars = /path/to/jackson/jars/dir/ ... View more

Exception when running a search in Hunk

by Splunk Employee in Splunk Search
‎10-06-2013 10:27 PM
‎10-06-2013 10:27 PM
I see the following exception in search.log when running a Hunk search against my cluster: Exception in thread "main" java.lang.NoSuchMethodError: org.codehaus.jackson.map.ObjectMapper.writeValueAsString(Ljava/lang/Object;)Ljava/lang/String; ... View more

Re: Error while running Hunk search: Cannot initia...

by Splunk Employee in Deployment Architecture
‎09-18-2013 06:21 AM
‎09-18-2013 06:21 AM
We've seen this error come up a number of times and the error message (thrown by the Hadoop libraries) is misleading. The root cause of the problem in our observations has been a mismatch between the Hadoop client libraries on the Hunk server and Hadoop cluster. Therefore, the first thing you want to do is check that the versions are exactly the same Just a reminder that Hadoop is very sensitive when it comes to the library versions so we strongly recommend that you use the exact same version as the cluster. ... View more

Error while running Hunk search: Cannot initialize...

by Splunk Employee in Deployment Architecture
‎09-18-2013 06:18 AM
‎09-18-2013 06:18 AM
I've managed to setup Hunk and run streaming searches without any problem. However when I try to run a reporting search, that starts a MapReduce job the search fails with an error message like this: JobStartException - Failed to start MapReduce job. Please consult search.log for more information. Message: [Failed to start MapReduce job, name=....] and [Cannot initialize Cluster. Please check your configuration for mapreduce.framework.name and the correspond server addresses.] Any ideas what could be happening? ... View more

Re: Hadoop Connect - how to change the polling fr...

by Splunk Employee in All Apps and Add-ons
‎09-03-2013 11:32 AM
‎09-03-2013 11:32 AM
I'd recommend that you follow the docs on modular inputs and then follow the usage/definition of "whitelist"/"blacklist". Just like with any other default app resouce changes you'd have to be careful during an upgrade of the app, as the new version would overwrite any changes you might have made. ... View more

Re: Hadoop Connect - how to change the polling fr...

by Splunk Employee in All Apps and Add-ons
‎09-02-2013 11:41 PM
1 Karma
‎09-02-2013 11:41 PM
1 Karma
I am assuming here that the lsr load is coming from the indexing component (modular inputs) - let us know if that is not the case Unfortunately the polling frequency for HDFS based inputs is not exposed as a configuration variable. However you can easily modify it in the bin/hdfs.py file 276 def run(): 277 278 config = get_config() .... 322 323 # check every 60 seconds for new entries 324 time.sleep(60) ... View more

Re: Splunk Hadoop Connect - unable to read snappy ...

by Splunk Employee in All Apps and Add-ons
‎07-09-2013 05:01 PM
‎07-09-2013 05:01 PM
Thanks for pointing this out - I've filed a requirement for us to address this during our next revision of the app. ... View more

Re: Hadoop Connect with Apache Hadoop 1.0.3

by Splunk Employee in All Apps and Add-ons
‎03-13-2013 10:58 AM
‎03-13-2013 10:58 AM
Can you please file a support case and include a diag so we can take a look at the log files as well? ... View more

Re: Hadoop Connect with Apache Hadoop 1.0.3

by Splunk Employee in All Apps and Add-ons
‎03-12-2013 10:41 AM
‎03-12-2013 10:41 AM
Hadoop Connect tries to find the version of the cluster by using jmx or a fallback mechanism. What does this URL return in your evinronment: http://[namenode-host]:50070/jmx?qry=*adoop:service=NameNode,name=NameNodeInfo ... View more

Re: Issues while using admin/password endpoint

by Splunk Employee in Splunk Dev
‎02-26-2013 11:00 AM
‎02-26-2013 11:00 AM
Kiran, I'd suggest you ask another question so one of our internal python experts would be able to point you to the right direction. I can make one recommendation that has worked for me in the past, in MySQL Connector app, try to find a pure python driver for MSSQL if at all possible - then you'd be able to use it just by placing it in your app's bin dir (see MySQLConnector for an example of how/where to place the driver). ... View more

Re: Issues while using admin/password endpoint

by Splunk Employee in Splunk Dev
‎02-25-2013 12:20 PM
‎02-25-2013 12:20 PM
hmm still can't repro. Does the same thing happen for other password values too? ... View more

Re: Issues while using admin/password endpoint

by Splunk Employee in Splunk Dev
‎02-25-2013 10:29 AM
‎02-25-2013 10:29 AM
Hmm, I'm not able to reproduce the problem in that build. Does this happen for all passwords or just this one? Do you mind sharing the clear password string - I hope it's not real 🙂 ... View more

Re: Issues while using admin/password endpoint

by Splunk Employee in Splunk Dev
‎02-25-2013 09:42 AM
‎02-25-2013 09:42 AM
What version of Splunk are you using, so I can try to repro this? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All
Karma given to