Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nickhillscpl
nickhillscpl
Ultra Champion
Member since:
10-10-2011
06-23-2020
Community Statistics
| Posts | 1700 |
| Solutions | 252 |
| Karma Given | 142 |
| Karma Received | 345 |
| Member Since | 10-10-2011 |
Activity Feed
- Got Karma for Re: Why is there Splunk indexers data replication failure?. a month ago
- Got Karma for Re: AWS TA - S3 Generic input. Insane Memory Usage!. 06-15-2020 04:41 PM
- Karma Re: AWS TA - S3 Generic input. Insane Memory Usage! for PavelP. 06-12-2020 08:52 AM
- Posted Re: AWS TA - S3 Generic input. Insane Memory Usage! on All Apps and Add-ons. 06-12-2020 08:42 AM
- Got Karma for GOTCHA: Upgraded Memory with systemd? Read This!. 06-05-2020 04:16 PM
- Karma Re: Sizing for Splunk4Rookies-style Workshop with 20-40 participants for jschogel_splunk. 06-05-2020 12:51 AM
- Karma Re: Splunk light alerts to Splunk Enterprise for gcusello. 06-05-2020 12:51 AM
- Karma Re: how to get the string data as a json object for the below logstash logs? for vnravikumar. 06-05-2020 12:51 AM
- Karma Re: After creating a user, error shows" Cannot create user that already exists"? for scott_sackrider. 06-05-2020 12:51 AM
- Karma Re: How do you match ip address with ip's with CIDR notations in the same lookuptable? for rmmiller. 06-05-2020 12:51 AM
- Karma Re: Dedup Command information for HiroshiSatoh. 06-05-2020 12:51 AM
- Karma Re: How to rename dynamic column name? for gcusello. 06-05-2020 12:51 AM
- Karma Re: How to keyword search values in a lookup table without using field names for marycordova. 06-05-2020 12:51 AM
- Karma Re: Can Splunk find love? for to4kawa. 06-05-2020 12:51 AM
- Karma Re: Run SPL command once and store result to access faster for martinpu. 06-05-2020 12:51 AM
- Karma Re: Sourcetype changes when we moved from loginsight to syslog-ng for richgalloway. 06-05-2020 12:51 AM
- Karma Re: Is there a way to calculate percentile of a row values in table? for 493669. 06-05-2020 12:51 AM
- Karma Re: I am trying to use regular expression to remove the keyword %5C from my extracted filed for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: SmartStore - Data not being frozen/deleted for rbal_splunk. 06-05-2020 12:51 AM
- Karma Re: Using a proxy with S3 storage cause cluster become unstable with Indexers flapping from up to down for nclancy_splunk. 06-05-2020 12:51 AM
06-12-2020
08:42 AM
1 Karma
An update on this: This was related to my recent post about memory allocation on systemd. I managed to work around the problem by giving the host a large fast swap disk, but the crux of the issue was the constrained memory limit in the systemd unit file. See: https://community.splunk.com/t5/Installation/GOTCHA-Upgraded-Memory-with-systemd-Read-This/m-p/501871#M6313 Fixing the root caused eradicated the issue!
... View more
05-29-2020
03:00 AM
Hi Rich,
I had a think about how to phrase this as question/answer but couldn't really come up with a format that didn't sound patronising. 😞
Splunk used this post to re-write the documentation page, so I guess it has served its purpose, accordingly I have marked it as answered.
... View more
05-29-2020
02:57 AM
1 Karma
Following my submission, the documentation has been updated to reflect this. It now reads:
The MemoryLimit value is set to the
total system memory available in bytes
when the service unit file is created.
The MemoryLimit value will not update
if the total available system memory
changes. To update the MemoryLimit
value in the unit file, you can
manually edit the value or use the
boot-start command to disable and
re-enable systemd.
http://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/RunSplunkassystemdservice
The Splunk Docs team are still reviewing this, but this revised wording certainly makes it clearer.
Thanks Edward K!
... View more
05-21-2020
02:26 AM
7 Karma
If you are running Splunk with systemd and have ever upgraded your host memory, it is possible that Splunk is not using it!
When you install Splunk and have completed your build process, if you are like me, one of the last things I do is: ./splunk enable boot-start -systemd-managed 1 -user splunk reboot the box and pat yourself on the back, maybe grab a beer.
At some point later, you add more memory to the host (or in my case, resize the EC2 instance)
EC2 is a special case which is what highlighted this for me - more on that later..
Assuming your host has swap memory, everything will work fine. However, what you may not notice is that Splunk is heavily using swap instead of real memory.
If you disable swap swapoff -a you will very likely see Splunk dies rapidly with OOM.
What happens is this:
When you run splunk enable boot-start Splunk takes note of the current memory limit and writes this into the Splunkd.service unit file.
Unless configured otherwise, default linux behaviour is to allow memory overcommit using cgroups, meaning that if Splunk wants more memory than it has allocated by cgroups, all sorts of magic happens which ultimately means that swap memory gets allocated to Splunk.
If your swap is on fast IO disks, you may not notice straight away, however Splunk will never be able to use more 'real' memory than was present when you initially ran enable boot-start
Check if you are affected:
cat /etc/systemd/system/Splunkd.service
Look for the line
[Service]
...
MemoryLimit= x
Then check your system memory cat /proc/meminfo Look the value for
MemTotal= y (kB)
Note that the unit file is in bytes, and MemTotal is in kB, but check if these values match.
If the MemoryLimit is below MemTotal then you very likely have been affected by this issue.
To Resolve:
1 Stop Splunk 2 Disable boot-start ./splunk disable boot-start 3 Re-enable boot-start ./splunk enable boot-start -systemd-managed 1 -user splunk 4 Restart Splunk
Now if you check the unit file, you should have the correct MemoryLimit applied and Splunk should be able to use all of it.
Documentation: UPDATE: Following my submission, the documentation has been updated to reflect this. It now reads:
The MemoryLimit value is set to the total system memory available in bytes when the service unit file is created. The MemoryLimit value will not update if the total available system memory changes. To update the MemoryLimit value in the unit file, you can manually edit the value or use the boot-start command to disable and re-enable systemd. http://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/RunSplunkassystemdservice The Splunk Docs team are still reviewing this, but this revised wording certainly makes it clearer.
Thanks Edward K!
EC2 corner case:
Generally speaking "swap" on ec2 sucks! Most hosts running in AWS have storage volumes which have a limitation on IOPS. This can make it very apparent if your system has swap on an EBS and is using lots of IO because after a period of time, your host will have consumed all of the IOP credits, then IO grinds to a halt causing high iowait. (Tip, use htop and enable display of iowait - You will see high load averages but comparatively low CPU use unless iowait display is on) In my case this was exactly the problem I was experiencing. The obvious solution is more ram, less swap. So I upgraded the host, and disabled the swap. Instantly this caused OOM and so began much head scratching, digging and ultimately discovery of where this was occurring
... View more
04-20-2020
11:10 AM
Hi @PavelP
Thanks for your suggestions, see the results of vmstat and iostat below.
As you can see this is real swapping, (vmstat formatted for clairty)
And in iostat you can see the highest io is on the dedicated swap device nvme2n1
I'm not worried about the load avg, I was just highlighting that I know the system in the screenshot is below suggested minimum spec, but the behaviour is just the same on a 16core 64gb instance.
Thanks for the note on vmtouch - I had not come across that tool before!
A new discovery is that the checkpoint file which the TA writes is now over 800mb in size. This is utter madness because the bucket that is being processed only has a few thousand files in it, and a quick look inside the checkpoint file has many thousands of repeated bucket names. There is clearly something very strange occurring with this python input process.
It was remiss of me not to post version info in the original question, but this is Splunk Enterprise 8.0.3 with version 5.0 of the TA. (latest)
Its a fresh deployment, so no upgrade legacy inputs.
I am close to writing this one up as a bug and throwing it over to support.
... View more
04-18-2020
09:38 AM
Just to note, this is a dedicated HF for AWS, its not running any searches, and the other AWS inputs all work fine and in a timely fashion, this issue is constrained just to the generic s3 task (of which this is the only one)
I have seen this doc https://docs.splunk.com/Documentation/Splunk/7.2.4/Troubleshooting/Troubleshootmemoryusage but as described above this is not related to searches, or even the splunkd process.
... View more
04-18-2020
09:29 AM
I have an interesting problem which I can’t work out with the AWS-TA specifically for an S3 input.
I am collecting CloudTrail logs from an S3 bucket (no SQS, because the existing environment was preconfigured) I am collecting the logs with a Generic S3 input, but I have limited the collection window to only events that have been written to S3 in the last week (ish).
As an aside, the bucket is already lifecycle managed and only has 90 days of logs within it.
I am running the TA on an AWS HF instance with the necessary IAM roles, and data is collected, however.. there is a significant delay between logs being written to S3, collected and indexed.
After some investigation, I have discovered that the HF is chewing through its entire Swap disk, whilst the physical (well, virtual) memory is max ~4gb of total available.
I have been debugging this issue on a variety of ec2 instance types (c5.4xl/2xl/xl) and the system memory/core count has no impact on the behaviour.
The behaviour of this was such that the swap file located on the / volume would be heavily written to, this is in turn would eat the available IOPS on the volume, which when depleted cause high IOwait and eventually the system becomes unresponsive.
To check if this was a problem with the process needing a high amount of virt. mem for the initial ‘read’ I have moved the instance to an m5d, which provides an ephemeral 140GB ssd, which I have used as a dedicated swap device as it is not IOP limited (except by the underlying hardware device). As predicted, this has solved the IOPS depleting and the iowait condition is prevented.
The box has a steady load avg of ~3 (yes I know it’s only got 4 cores) but is otherwise quite happy.
However, the S3 python process has consumed 124GB of Virtual Memory, of which 123GB is on Swap.
I have never seen anything like this before with this TA across many deployments on AWS.
The logs from the TA report nothing untoward in the relevant log file, and whilst CT logs are getting in, they are taking 2-4 hours to arrive, rather than 30mins as configured in the input.
I have dumped the /swap partition with strings , and I can see that the swap file contains the data from the CT log files read from s3, so my present assumption is that the entire buckets log files are being read into swap (multiple times, as there is only 7-8GB of logs in the bucket), it seems that once swap is full, the oldest logs are evicted from swap, and the HF finally processes them, and sends them to the indexers.
Side note – if I run the HF without swap, it gets oomkilled and restarts. No crashlog is generated. Even so, physical memory usage never peaks at more than 3GB.
Does anyone have any ideas what could be up?
... View more
03-19-2020
03:31 AM
Did this help? If so please accept the answer and upvote so the community can see that this worked for you!
... View more
03-17-2020
02:45 PM
you need to have your alert configured in the file named alert_actions.conf
You should locate this file in /opt/splunk/etc/shcluster/apps/new_app/default/alert_actions.conf
... View more
03-10-2020
01:54 AM
Are you running an authenticated scan against the endpoint with credentials?
The CVE as discussed here: https://www.splunk.com/view/SP-CAAAP5E
Addresses the issue by moving the endpoint to an authenticated request in versions >6.6.0.
I am not sure why nessus would still detect this in an unauthenticated request
... View more
03-09-2020
03:27 AM
What actual Address are you using for the endpoint?
It should be yourhost:8088/services/collector/event
... View more
03-06-2020
01:38 AM
If you are just interested in CPU data I echo the sentiments below - use the Splunk provided TA as all of this work is done for you.
If, however this is an exercise which you plan to expand further, you can make you Splunk ingestion journey much easier using K=V values as the response from your script. Also make you your life easier by including a timestamp.
CSV output formats make a huge amount of sense if the output from your script is large and repetitive. In those cases you only write the field names (header) out once, and then list all the values, but for a simple output from a script, you will find it much easier if you format your output like so:
06/03/2020 09:36:24 cpu=all pctIdle=94.6
Splunk will automatically break events formatted like this, and the fields will be auto extracted for you
... View more
03-06-2020
12:01 AM
The user needs the role which is added when you install cloud gateway (I don’t have access to a system with it running at present) if I recall it’s called something like cloud-gateway-role.
You can modify the standard “user role” to inherit it, so all users get the required capability
... View more
03-05-2020
12:41 AM
That’s one approach.
The other is be 100% sure your standby is not in dns, start it, sync files, shut down.
The reason I suggest keeping it offline is to reduce any chance of it being confused with the primary, but another approach is to keep the host running with Splunk shutdown.
... View more
03-04-2020
10:11 AM
Did you run through the migration checks before upgrading?
https://docs.splunk.com/Documentation/Splunk/8.0.0/Installation/AboutupgradingREADTHISFIRST
Take a look at this post following and see if it addresses your issue.
https://answers.splunk.com/answers/779171/upgrading-from-701-to-80-splunk-web-stopped-runnin.html
... View more
03-04-2020
09:58 AM
I think I have seen another post on the subject - and after a quick look now, I can't find it!
There was a suggestion that Splunk 8 does not handle dashboards that do not have a label, and can trigger this message.
Sadly the message does not give any indication as to which dashboard is the problem.
The suggested advice was to look through the xml for your dashboards and identify any which do not have a label and manually edit the xml to include one.
If I can find the post I will update my answer to give credit/context.
EDIT###
I have retracted my answer, as I was mistaken. Here is the post I was referring to, but it does not apply to your situation.
https://answers.splunk.com/answers/802002/500-internal-server-error-when-i-click-manage-apps.html
... View more
03-04-2020
09:52 AM
So I just learnt something!
File uses a file checkpoint in the path you specify.
Auto stores the checkpoint in the KV Store
https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Usetheaddon#Configure_inputs
... View more
03-04-2020
09:46 AM
This can happen if your instance was at some point started by root (perhaps by mistake)
All files in $SPLUNK_HOME should be owned by the user Splunk is running as (splunk)
If you have files inside $SPLUNKHOME owned by root, you should probably run:
sudo chown -R splunk:splunk /opt/splunk - or the path of $SPLUNKHOME
... View more
03-04-2020
09:42 AM
Hi @MMCC
Why can't the master on site 2 be up and running? It has to be "brought" up...
A Multisite Cluster can only have one Cluster Master running at a time. The master is the component responsible for co-ordinating all the actions of the cluster, therefore, you can not have two.
reconfiguring all peers to the new master takes time! How can this be avoided?
You should have a standby master (which means a Splunk instance with the same splunk.secret, same cluster shared key, same config, same apps etc) but offline (vm shutdown).
Ideally, your cluster peers should use a DNS name (not a IP address) to reference the master.
To bring the standby master online, change the DNS records to reflect the IP of the standby master, and start the VM.
If the "failover" CM is not known to the peers can it still be up?
If the standby CM has the same splunk.secret, and the same cluster shared key, and the same master apps, then the peers will accept it as the previously running CM.
A word of Caution
MAKE SURE YOU KEEP THE MASTER APPS IN SYNC.
If you make changes to the master apps on the primary CM, (in particular indexes.conf) make sure you copy the changes to the standby.
If you fail to do this and you have an index defined in your primary which is NOT defined in the standby, when the standby master comes online it will remove the missing index from your peers. This is not fun. Don't let it happen to you.
... View more
03-04-2020
08:44 AM
Your comment:
Bringing up the stand by CM takes time why can't it run parallel?
What would you do if you had a standby CM running in parallel, and the primary failed?
Surely you would expediently replace it - that process would take the same amount of time as simply replacing a single primary.
The fact that the CM is stateless means recovery is a straightforward process and does not depend on a lengthy task to restore it.
I fully advocate keeping a recent backup of your instances for this eventuality, but a CM failure is not a breaking failure (in the same way as loosing a single properly spec'd idx peer or SHC member is not immediately breaking)
Certainly you should have a plan to recover a Splunk instance, but aside from the specific commands to add your replacement instance to its relevant idx or SHC cluster, its a very similar process.
... View more
