- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- splunk watchdog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: So all of this was written about Splunk 4.x. So keep that in mind.
For what it's worth. I've found the watchdog "feature" to be more trouble than it's worth, at least on Linux, I haven't tried it on other systems. I've run into situation where it has started up a second instance of splunk because it thought splunkd was down. (Which was technically true, I suppose) but it was down because splunk restart was run. So I ended up with two instances of splunkd concurrently, which ultimately ended up with some index corruption because of it. This happened more than once, or I would have written it off as a fluke.
Here is a script I've been using on a forwarder that, for whatever reason, splunkd seems to crash on quite frequently on that box (every couple months it will crash a couple of times in a row).
**WARNING:** Use this script at your own risks. It's only been tested on one system so far and it could possibly do "bad things". It's also pretty dumb, but it does seem to be slightly smarter than the splunkmon process, at least in my experience. By your mileage may vary. You've been warned!
/usr/local/sbin/check_splunkd.sh
#!/bin/bash
# TODO: Add some kind of runlevel checking or something; make sure we aren't trying to startup whenever the system is poweroff down for example. For now we are just going to risk it.
user=splunk
proc=splunkd
SPLUNK_HOME=/opt/splunk
MAINT_FILE=$SPLUNK_HOME/disabled
LOGGER="logger -t check_splunkd.sh -s"
if [ -f $MAINT_FILE ]
then
echo "Splunk has been shutdown for maintenance mode (remove $MAINT_FILE) to re-enable automatic splunk restarting." | $LOGGER
exit 0;
fi
# Wait 50 second to see if splunkd is really down (and not just restarting)
if ! pgrep -u $user $proc > /dev/null
then
echo "Splunkd appears to be down." | $LOGGER
i=0
while ! pgrep -u $user $proc > /dev/null
do
let i+=1
if [ $i -gt 10 ]; then break; fi
echo "Loop $i"
sleep 5
done
if [ $i -gt 10 ];
then
# Splunkd is not running. Trying to start it up
echo "Splunkd still not running. Attempting to start!" | $LOGGER
su $user -c "$SPLUNK_HOME/bin/splunk start splunkd"
RETVAL=$?
echo "Splunk started with RETVAL=$RETVAL" | $LOGGER
else
echo "Splunkd is now running.... Perhaps splunk was being restarted (i=$i)" | $LOGGER
fi
fi
I then schedule this script to run every 10 minutes (which is good enough for my needs)
/etc/crontab
*/10 * * * * root /usr/local/sbin/check_splunkd.sh
If you want to temporarily disable this functionality, like during a splunk upgrade. Simply run:
touch /opt/splunk/disable
To re-enable it, simply remove the file:
rm /opt/splunk/disable
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: So all of this was written about Splunk 4.x. So keep that in mind.
For what it's worth. I've found the watchdog "feature" to be more trouble than it's worth, at least on Linux, I haven't tried it on other systems. I've run into situation where it has started up a second instance of splunk because it thought splunkd was down. (Which was technically true, I suppose) but it was down because splunk restart was run. So I ended up with two instances of splunkd concurrently, which ultimately ended up with some index corruption because of it. This happened more than once, or I would have written it off as a fluke.
Here is a script I've been using on a forwarder that, for whatever reason, splunkd seems to crash on quite frequently on that box (every couple months it will crash a couple of times in a row).
**WARNING:** Use this script at your own risks. It's only been tested on one system so far and it could possibly do "bad things". It's also pretty dumb, but it does seem to be slightly smarter than the splunkmon process, at least in my experience. By your mileage may vary. You've been warned!
/usr/local/sbin/check_splunkd.sh
#!/bin/bash
# TODO: Add some kind of runlevel checking or something; make sure we aren't trying to startup whenever the system is poweroff down for example. For now we are just going to risk it.
user=splunk
proc=splunkd
SPLUNK_HOME=/opt/splunk
MAINT_FILE=$SPLUNK_HOME/disabled
LOGGER="logger -t check_splunkd.sh -s"
if [ -f $MAINT_FILE ]
then
echo "Splunk has been shutdown for maintenance mode (remove $MAINT_FILE) to re-enable automatic splunk restarting." | $LOGGER
exit 0;
fi
# Wait 50 second to see if splunkd is really down (and not just restarting)
if ! pgrep -u $user $proc > /dev/null
then
echo "Splunkd appears to be down." | $LOGGER
i=0
while ! pgrep -u $user $proc > /dev/null
do
let i+=1
if [ $i -gt 10 ]; then break; fi
echo "Loop $i"
sleep 5
done
if [ $i -gt 10 ];
then
# Splunkd is not running. Trying to start it up
echo "Splunkd still not running. Attempting to start!" | $LOGGER
su $user -c "$SPLUNK_HOME/bin/splunk start splunkd"
RETVAL=$?
echo "Splunk started with RETVAL=$RETVAL" | $LOGGER
else
echo "Splunkd is now running.... Perhaps splunk was being restarted (i=$i)" | $LOGGER
fi
fi
I then schedule this script to run every 10 minutes (which is good enough for my needs)
/etc/crontab
*/10 * * * * root /usr/local/sbin/check_splunkd.sh
If you want to temporarily disable this functionality, like during a splunk upgrade. Simply run:
touch /opt/splunk/disable
To re-enable it, simply remove the file:
rm /opt/splunk/disable
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which OS are running?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
