Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk on Mac crashing continually

gedsays
Explorer
‎05-11-2014 05:20 AM

Hi,

I'm just installed Splunk 6.1 on a Mac with OS X 10.9.2, using splunk-6.1.0-206881-macosx-10.7-intel.dmg package and tried adding some data. Below is the crash report.

When I try to restart splunkd, it just crashes again after a little while with similar messages in the crash report. I also get these assertion failures and complaints about not being able to find the manifest file in the crash report:

2014-05-11 21:01:10.299 +1000 splunkd started (build 206881)
Assertion failed: (n <= rawSize()), function removeStartOfRaw, file /Users/eserv/wrangler/build-src/6.1.0/src/framework/PipelineData.h, line 382.
2014-05-11 22:09:08.649 +1000 splunkd started (build 206881)
Cannot open manifest file inside "/Applications/Splunk/var/lib/splunk/_internaldb/db/db_1398999122_1398999122_0/rawdata": No such file or directory
Cannot open manifest file inside "/Applications/Splunk/var/lib/splunk/_introspection/db/db_1399806670_1399806670_0/rawdata": No such file or directory
Assertion failed: (n <= rawSize()), function removeStartOfRaw, file /Users/eserv/wrangler/build-src/6.1.0/src/framework/PipelineData.h, line 382.

Any suggestions?

Thanks in advance,

Ged

[build 206881] 2014-05-11 21:33:09
Received fatal signal 6 (Abort trap: 6).
Cause:
Unknown signal origin (si_code=0).
Crashing thread: parsing
Registers:
RIP: [0x00007FFF8E3B3866] __pthread_kill + 10 (/usr/lib/system/libsystem_kernel.dylib)
RDI: [0x0000000000002D03]
RSI: [0x0000000000000006]
RBP: [0x000000010B4DFB80]
RSP: [0x000000010B4DFB58]
RAX: [0x0000000000000000]
RBX: [0x000000010B4E0000]
RCX: [0x000000010B4DFB58]
RDX: [0x0000000000000000]
R8: [0x00000000FFFFF000]
R9: [0x000000000000017E]
R10: [0x0000000008000000]
R11: [0x0000000000000206]
R12: [0x00000001068CBB58]
R13: [0x00000001068CBB6E]
R14: [0x0000000000000006]
R15: [0x00000001068C854C]
RFLAGS: [0x0000000000000206]
TRAPNO: [0x0000000000000085]
ERR: [0x0000000002000148]
CS: [0x0000000000000007]
GS: [0x00000000DD340000]
FS: [0x0000000000000000]

OS: OS/X
Arch: x86-64

Backtrace (NOTE: symbols may be wrong -- dladdr() is unreliable on OS/X):
[0x0000000107443A00] ?
[0x00007FFF8DFB5B1A] abort + 125 (/usr/lib/system/libsystem_c.dylib)
[0x00007FFF8DF7F98E] _assert_rtn + 272 (/usr/lib/system/libsystem_c.dylib)
[0x00000001058CE177] _ZN12PipelineData16removeStartOfRawEm + 183 (/Applications/Splunk/bin/splunkd)
[0x00000001058CEF0C] _ZN27StructuredDataHeaderRemoverD0Ev + 2684 (/Applications/Splunk/bin/splunkd)
[0x0000000105E9C2F7] _ZNSt8_Rb_treeI3StrSt4pairIKS0_12CronIntervalESt10_Select1stIS4_ESt4lessIS0_ESaIS4_EE4findERS2 + 9223 (/Applications/Splunk/bin/splunkd)
[0x00000001058CE9C2] _ZN27StructuredDataHeaderRemoverD0Ev + 1330 (/Applications/Splunk/bin/splunkd)
[0x00000001058CD928] _ZN6FifoFdC2ER8PathnameR15CowPipelineDataP9EventLoopP18FifoInputProcessorR13PropertiesMap + 8392 (/Applications/Splunk/bin/splunkd)
[0x0000000105C76327] _ZN22PersistentCacheVersionD0Ev + 11223 (/Applications/Splunk/bin/splunkd)
[0x0000000105F8F692] _ZN35TcpOutboundTerminateExternallyActorD0Ev + 6034 (/Applications/Splunk/bin/splunkd)
[0x00007FFF8C7BB899] _pthread_body + 138 (/usr/lib/system/libsystem_pthread.dylib)
[0x00007FFF8C7BB72A] _pthread_struct_init + 0 (/usr/lib/system/libsystem_pthread.dylib)
[0x00007FFF8C7BFFC9] thread_start + 13 (/usr/lib/system/libsystem_pthread.dylib

Tags (2)
Reply

gsteff
Explorer
‎07-07-2014 04:57 PM

I'm getting the error in Splunk 6.1 on Linux. It occurs when I add a new filesystem directory data input, and appears to relate to the contents of the files in it.

0 Karma
Reply

lguinn2
Legend
‎05-11-2014 10:06 AM

Hmm, I would try installing with the .tgz tar ball instead. I am not having trouble and that is what I used for my Mac. I'd also check permissions.

You should only start/stop Splunk as the same user who owns all the Splunk files. If you once started Splunk using root, then some of the file ownership may have changed. This is one way that permissions problems happen. You may want to use chown -R to fix that.

I'd also check that your download wasn't corrupt. But if all of these suggestions fail, I'd submit a bug: at that point, I would guess that Splunk published a bad download package for the Mac.

0 Karma
Reply

gedsays
Explorer
‎05-12-2014 03:55 AM

OK. So I checked the md5sum against the .dmg package and they match. The chown -R wasn't necessary as the files are all owned by the right user.

So, I uninstalled and installed the .tgz tarball. I still get the same behaviour. After indexing the input files (about 1.5Gb worth - not sure if that is a problem given the 500Mb limit/day but it shouldn't crash the daemon), splunk crashed and when restarted, it crashes again within a few seconds. Errors are similar to my initial post.

Any help would be really appreciated!

Reply

gedsays
Explorer
‎05-11-2014 04:15 PM

Thanks for the suggestions. I started Splunk with the same user as the one that ran the installation. The strange thing is that Splunk was running fine while adding a few million events from the input files and then at some point splunkd crashed and from then would crash almost immediately after restarting. I tried reinstalling Splunk and the same sequence of events occurred.

I'll check the md5sum of the installer, running chown -R and if that doesn't shed any light, will try the .tgz tarball install.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...