Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my Splunk instance not starting and crashing with crash logs?

sylim_splunk
Splunk Employee
Splunk Employee
‎07-31-2018 02:42 PM

My splunk instance keeps on crashing it's not even starting. Whenever "splunk start" is entered it creates crash logs under /var/log/splunk directory, which has below stack traces with "Aborted" and assertion, _parent == __null' failed
This started to happen after upgrade to 7.0.4 from 6.5.5 which did not show any crashes.
*

[build c8a78efdd40f] 2017-11-30 09:49:09
 Received fatal signal 6 (Aborted).
 Cause:
 Signal sent by PID 15459 running under UID 11396.
 Crashing thread: HttpInputServerManagementThread
 Registers:
 RIP: [0x00007FED9E034495] gsignal + 53 (libc.so.6 + 0x32495)

OS: Linux
 Arch: x86-64
Backtrace (PIC build):
 [0x00007FED9E034495] gsignal + 53 (libc.so.6 + 0x32495)
 [0x00007FED9E035C75] abort + 373 (libc.so.6 + 0x33C75)
 [0x00007FED9E02D60E] ? (libc.so.6 + 0x2B60E)
 [0x00007FED9E02D6D0] __assert_perror_fail + 0 (libc.so.6 + 0x2B6D0)
 [0x00007FEDA0CD31AA] ? (splunkd + 0x16C61AA)
 [0x00007FEDA0CD48E8] _ZN13HttpInputConf4loadEv + 1384 (splunkd + 0x16C78E8)
 [0x00007FEDA0CD51EE] _ZN13HttpInputConfC2Ev + 94 (splunkd + 0x16C81EE)
 [0x00007FEDA0CD5251] _ZN13HttpInputConf6Getter6updateEv + 33 (splunkd + 0x16C8251)
 [0x00007FEDA0CCAE18] _ZN31HttpInputServerManagementThread11reconfigureEbR3Str + 120 (splunkd + 0x16BDE18)
 [0x00007FED9FE57B6C] _ZN31HttpInputServerManagementThread4mainEv + 172 (splunkd + 0x84AB6C)
 [0x00007FEDA090FB3F] _ZN6Thread8callMainEPv + 111 (splunkd + 0x1302B3F)
 [0x00007FED9E39DAA1] ? (libpthread.so.0 + 0x7AA1)
 [0x00007FED9E0EABCD] clone + 109 (libc.so.6 + 0xE8BCD)

 splunkd: /home/build/build-src/minty/src/pipeline/input/httpinput/HttpInputConf.cpp:111: void HttpInputConf::TokenConf::setParent(const HttpInputConf::TokenConf*): **Assertion \`_parent == __null' failed.**
 splunkd: /home/build/build-src/minty/src/pipeline/input/httpinput/HttpInputConf.cpp:111: void HttpInputConf::TokenConf::setParent(const HttpInputConf::TokenConf*): **Assertion \`_parent == __null' failed**.
*

Please help.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎07-31-2018 02:47 PM

This can happen when token for Http Event collector is used multiple times in different "http" stanzas. You can confirm if it is the case or not by running the below;

$SPLUNK_HOME/bin/splunk btool ---debug inputs list | grep "token =" |cut -d "=" -f 2 | sort |uniq -c | awk '{if ($1>1) print $1,$2 }'

If you find tokens used more than 1 it can cause crash. Make sure the tokens are only used once. We are implementing fixes so that it puts ERROR messages when it detects duplicate tokens used for HEC and continue, no more crashes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎07-31-2018 02:47 PM

This can happen when token for Http Event collector is used multiple times in different "http" stanzas. You can confirm if it is the case or not by running the below;

$SPLUNK_HOME/bin/splunk btool ---debug inputs list | grep "token =" |cut -d "=" -f 2 | sort |uniq -c | awk '{if ($1>1) print $1,$2 }'

If you find tokens used more than 1 it can cause crash. Make sure the tokens are only used once. We are implementing fixes so that it puts ERROR messages when it detects duplicate tokens used for HEC and continue, no more crashes.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...