Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ron45
ron45
Explorer
Member since:
01-06-2011
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 01-06-2011 |
Activity Feed
- Got Karma for loosing events from light forwarder. 06-05-2020 12:45 AM
- Posted Re: Splunkd crashing because of Segmentation fault on Monitoring Splunk. 01-27-2011 09:25 AM
- Posted Splunkd crashing because of Segmentation fault on Monitoring Splunk. 01-26-2011 09:36 AM
- Tagged Splunkd crashing because of Segmentation fault on Monitoring Splunk. 01-26-2011 09:36 AM
- Tagged Splunkd crashing because of Segmentation fault on Monitoring Splunk. 01-26-2011 09:36 AM
- Posted Re: loosing events from light forwarder on Deployment Architecture. 01-11-2011 08:59 AM
- Posted Re: loosing events from light forwarder on Deployment Architecture. 01-07-2011 12:43 PM
- Posted Re: loosing events from light forwarder on Deployment Architecture. 01-07-2011 12:33 PM
- Posted loosing events from light forwarder on Deployment Architecture. 01-06-2011 12:49 PM
- Tagged loosing events from light forwarder on Deployment Architecture. 01-06-2011 12:49 PM
- Tagged loosing events from light forwarder on Deployment Architecture. 01-06-2011 12:49 PM
- Tagged loosing events from light forwarder on Deployment Architecture. 01-06-2011 12:49 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 |
01-27-2011
09:25 AM
Thanks for the hint, I gonna open a support call by splunk support today.
regards,
Aaron
... View more
01-26-2011
09:36 AM
Hello,
we have running Splunk Version 4.1.6 build 89596 on AIX 6.1. From time to time splunkd is crashing with Segmentation fault on address [0x00000004]. Its always the same address who causes the problem. Here is an extract out of the crash.log:
[build 89596] 2011-01-26 09:52:12
Received fatal signal 11 (Segmentation fault).
Cause:
Memory access denied at address [0x00000004].
Crashing thread: Main Thread
Registers:
IAR: [0x1001EAE4] ?
MSR: [0x0000D032]
R0: [0xFFFFFFFF]
R1: [0x2FF22320]
R2: [0x00000000]
R3: [0x00000001]
R4: [0x432B2B00]
R5: [0x00000008]
R6: [0x00000010]
R7: [0x3453F968]
R8: [0x2FF21534]
...
What can we do? Is this problem known? Where to send the crash.log
Kind regards,
Aaron
... View more
- Tags:
- crash
- segmentation
01-07-2011
12:43 PM
Hi, we have a 28 Lightforwarder working towards an index machine. All of them running on huge AIX systems. All logs together producing just around 3 GB per day (ca 30 million events). As wore in the other commend I've now increased the TRUNCATE value in props.conf. If this doesn't help i'll try encreasing the bandwith from 256 kbit to 512 kbit. In my opinion the bandwith shouldn't matter because its aproximatly some 40 MB logs comming from this particular lightforwarder. Up to now i haven't encountered this problem on other systems...
... View more
01-07-2011
12:33 PM
Hi, yesterday I've checked the queues on index server side, they are all OK (betw. 0 and 37% max usage). After checking the applikation log entrys on the lightforwareder i did found some huge entry's in the logfile. Each entry (event) has around 2062 bytes and sometime 5 of these events occuring with the same timestamp. This events are around the time where the problem occures. So I did encrease now the TRUNCATE value to 20000 in the props.conf of lightforwarder and indexer, hopefully that helps.
... View more
01-06-2011
12:49 PM
1 Karma
Hi there
We use a configuration of splunk light forwarders and a splunk index server. The light forwarders using tcp to write data to the index server. Now we've encountered, some lines of logfiles are missing on index side. Splunk logfiles (on light forwarder and index server) don't show any errors.
An example of lost data is:
Original Logfile:
06.01.2011 05:10:46 INFO Worldcheck import: 6,000 (22/sec)
06.01.2011 05:11:24 INFO Worldcheck import: 7,000 (26/sec)
06.01.2011 05:11:57 INFO Worldcheck import: 8,000 (29/sec)
06.01.2011 05:12:33 INFO Worldcheck import: 9,000 (27/sec)
06.01.2011 05:13:00 INFO Worldcheck import: 10,000 (37/sec)
06.01.2011 05:13:09 INFO Worldcheck import: 10,394 (43/sec)
On side of splunk index server we have for the same time:
06.01.2011 05:10:46 INFO Worldcheck import: 6,000 (22/sec)
06.01.2011 05:11:57 INFO Worldcheck import: 8,000 (29/sec)
06.01.2011 05:13:00 INFO Worldcheck import: 10,000 (37/sec)
06.01.2011 05:13:09 INFO Worldcheck import: 10,394 (43/sec)
As you can see in original logfile there are 6 lines output, on splunk index side only 4 lines output got received. Means 30% loss!
Gives me a bit bad taste, because of some 30 million events a day I'm not able to proof every event got recorded.
Does anyone have an idea how to ensure data from lightforwarder are written on splunk index server for sure?
output.conf on lightforwarder looks like:
[tcpout]
disabled = false
defaultGroup = group1_58499
[tcpout:group1_58499]
disabled = false
server = splunk:58499
[tcpout:RouteSplunkLogs]
disabled = true
server = splunk:58499
Kind regards,
Aaron
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
