Using Splunk in a Windows environment, search head and indexer on Win 2012, while the rest of the servers being indexed are mostly Win 2008 R2.
Today I got to see a lot of the following error messages in the _internal-index
02-11-2014 21:25:58.254 +0100 ERROR StreamGroup - <<<EOF file="D:\Splunk\var\lib\splunk\klpitest\db\hot_v1_140\splunk-autogen-params.dat"
02-11-2014 21:25:58.254 +0100 ERROR StreamGroup - Dumping contents of file="D:\Splunk\var\lib\splunk\klpitest\db\hot_v1_140\splunk-autogen-params.dat" txnPerSync=77:
The errors are logged to splunkd.log on the indexer.
Not really sure what to do with this right now, or if I need to do anything at all.
Okay, I did some quick checking - I've ran across this before. Those messages are are benign, and will be addressed in a later update.
It means that our tsidx buffer has been shrunk a bit too small. The message also means that we’ve increased that size to a reasonable level. There are no known adverse effects stemming from this message
Another thing that might be pointer to check out, is if you have any events, not parsed correctly in this data.
I would check the klpitest index (in this case) for events with a linecount bigger than 1 (or what ever you expect from your events), and check if i have (a few) events with another timestamp or format in the data. (since this looks like an custom input, custom sourcetype(?) )
At least i found some events that had not been parsed correctly in those indexes reported by this "Stream group" error.
I did not however find any other errors or warnings regarding, parsing errors or what not in splunkd.log, for those who are wondering ...
Did a search now and found no reported errors available. Now running Splunk 6.1.1 build 207789, so as mentioned in the first answer I'm guessing that it has been fixed after I have updated to 6.1.1
Yes, the servers are VMWare-servers
Splunk 6.0.1 (build 189883)
Okay, I did some quick checking - I've ran across this before. Those messages are are benign, and will be addressed in a later update.
It means that our tsidx buffer has been shrunk a bit too small. The message also means that we’ve increased that size to a reasonable level. There are no known adverse effects stemming from this message
So, just to check if I get this...the error can safely be ignored?
I'm curious though, in our situation, I will see about 9-10 of these messages then the indexer will no longer be able to talk to the SH. We will get replication issues and have to restart the indexer and/or the SH. Is there any correlation there? Perhaps the symptom is just a coincidence?
What version of Splunk are you using?
I have the same scenario except on a linux indexer. Still can't find any additional information about these errors. You wouldn't happen to be running this on a VM would you?