About snosurfur

snosurfur · ‎05-09-2024

Stopping splunkd is taking up to 6 minutes to complete. We have a process that snapshots the instance and we are stopping splunkd prior to taking that snapshot. Previously with v9.0.1 we did not experience this; now we are on v9.2.1. While shutting down I am monitoring spklunkd.log and the only errors I am seeing has to do with the HFs. 'TcpInputProc [65700 tcp] - Waiting for all connections to close before shutting down TcpInputProcessor '. Has anyone else experienced something similar post upgrade?

snosurfur · ‎07-31-2018

We also use kinesis, and are pulling in vpcflow logs and recently found a solution to the log time. I will share my thoughts in hopes that it either turns out to be a solution for you or point you in the right direction. Option 1: This will use the current time of the splunk server to log the time of the event and convert/read epoch time. Edit/Create a props.conf file in %SPLUNK%\etc\system\local [] TIME_PREFIX = CURRENT TIME_FORMAT = %s Option 2: This will take either the start time of the event or end time, however you configure regexp. Edit/Create a props.conf file in %SPLUNK%\etc\system\local Start time of event [] TIME_PREFIX = ^([^ ]+\s){10} TIME_FORMAT = %s End time of event [] TIME_PREFIX = ^([^ ]+\s){11} TIME_FORMAT = %s Keeping in mind these are configured specifically formatted for vpc flow logs.

Posts	2
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎12-10-2013

Online Status	Offline
Date Last Visited	‎05-09-2024 06:33 PM

Stopping Splunk is taking very long to stop

Stopping Splunk is taking very long to stop

Re: Kinesis AWS Input - Timestamp recognition