Monitoring Splunk

How to solve: ERROR StreamGroup - Dumping contents of file="...splunk-autogen-params.dat" txnPerSync=77:

rune_hellem
Contributor

Using Splunk in a Windows environment, search head and indexer on Win 2012, while the rest of the servers being indexed are mostly Win 2008 R2.

Today I got to see a lot of the following error messages in the _internal-index

02-11-2014 21:25:58.254 +0100 ERROR StreamGroup - <<<EOF file="D:\Splunk\var\lib\splunk\klpitest\db\hot_v1_140\splunk-autogen-params.dat"

02-11-2014 21:25:58.254 +0100 ERROR StreamGroup - Dumping contents of file="D:\Splunk\var\lib\splunk\klpitest\db\hot_v1_140\splunk-autogen-params.dat" txnPerSync=77:

The errors are logged to splunkd.log on the indexer.

Not really sure what to do with this right now, or if I need to do anything at all.

0 Karma
1 Solution

bosburn_splunk
Splunk Employee
Splunk Employee

Okay, I did some quick checking - I've ran across this before. Those messages are are benign, and will be addressed in a later update.

It means that our tsidx buffer has been shrunk a bit too small. The message also means that we’ve increased that size to a reasonable level. There are no known adverse effects stemming from this message

View solution in original post

0 Karma

lmyrefelt
Builder

Another thing that might be pointer to check out, is if you have any events, not parsed correctly in this data.

I would check the klpitest index (in this case) for events with a linecount bigger than 1 (or what ever you expect from your events), and check if i have (a few) events with another timestamp or format in the data. (since this looks like an custom input, custom sourcetype(?) )

At least i found some events that had not been parsed correctly in those indexes reported by this "Stream group" error.

I did not however find any other errors or warnings regarding, parsing errors or what not in splunkd.log, for those who are wondering ...

0 Karma

rune_hellem
Contributor

Did a search now and found no reported errors available. Now running Splunk 6.1.1 build 207789, so as mentioned in the first answer I'm guessing that it has been fixed after I have updated to 6.1.1

0 Karma

rune_hellem
Contributor

Yes, the servers are VMWare-servers

Splunk 6.0.1 (build 189883)

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

Okay, I did some quick checking - I've ran across this before. Those messages are are benign, and will be addressed in a later update.

It means that our tsidx buffer has been shrunk a bit too small. The message also means that we’ve increased that size to a reasonable level. There are no known adverse effects stemming from this message

0 Karma

rune_hellem
Contributor

So, just to check if I get this...the error can safely be ignored?

0 Karma

jonathan_cooper
Communicator

I'm curious though, in our situation, I will see about 9-10 of these messages then the indexer will no longer be able to talk to the SH. We will get replication issues and have to restart the indexer and/or the SH. Is there any correlation there? Perhaps the symptom is just a coincidence?

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

What version of Splunk are you using?

0 Karma

jonathan_cooper
Communicator

I have the same scenario except on a linux indexer. Still can't find any additional information about these errors. You wouldn't happen to be running this on a VM would you?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...