All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for AWS: Why are there Issues with Kinesis Pull?

chrisboy68
Contributor
‎06-30-2021 03:14 PM

Hi, Running 5.04 of the Add On - on a HF Splunk 8.1.3. Randomly an input just stops ingesting. There is nothing in the logs, even with DEBUG on. Loggin on this app is poor (rant).

Anyone run into similar issues? Tips, suggestions?  Nothing showing up in the splunkd DEBUG logs either. 

 

Thanks

 

Chris

Labels (1)
Labels
Tags (4)
0 Karma
Reply

chrisboy68
Contributor
‎07-01-2021 04:47 AM

Thanks for the suggestion. Yes, they are sending to the stream. 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 05:51 PM

@chrisboy68 

You must be using Kinesis Data Streams?  It's unstable usually doesn't log much when the real-time streaming is too much. Check was there increase of logs stream logs before it has stopped.

check the _internals modinputs logs... keywords *shard*, *Thread* .  Did you check this sourcetype 'aws:kinesis:log'?

Restart of HF usually fixes the issues.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 06:54 PM

@chrisboy68 can you verify kinesis activity on AWS was it sending the stream?

Further you can update the following settings, Spec says

[global_settings]
use_hec = 0 or 1, use Http Event collector to inject data
hec_port = 8088, Http Event Collector port
use_kv_store = 0 or 1, use KVStore to do ckpt
use_multiprocess = 0 or 1, use use_multiprocess to do data collection

change them to,

#aws_kinesis.conf
[global_settings]
use_hec = 1
use_multiprocess = 0

---

An upvote would be appreciated and Accept solution if it helps!

0 Karma
Reply

chrisboy68
Contributor
‎07-02-2021 11:31 AM

Hi, yes we are sure the stream has data. We have seen this issue on multiple inputs. We have a case in process.

 

Thanks for helping

 

Chris

0 Karma
Reply

wongki
Explorer
‎07-19-2022 09:21 AM

Hey @chrisboy68 . Was this solved? We have Splunk Enterprise 8.2.3 running Splunk_TA_aws 5.2.0. At the rate it's going, Splunk will never be able to ingest fully even after retention period. All config is default.

0 Karma
Reply

chrisboy68
Contributor
‎07-21-2022 05:41 AM

No. We ended up going with another solution (product outside of Splunk). The TA was very buggy and does not scale or cluster aware (just one HF doing work). It caused us many headaches. For smaller shops, I'm sure it works fine.

 

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...