Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What will cause AIX get core dump when Splunk Light Weight Forwarder restarts?

zliu
Splunk Employee
Splunk Employee
‎05-24-2010 10:34 PM

Sometimes when restart the Splunk Light Forwarder, user will experience a core dump. The forwarder still restarts and functions properly, but the core dump will fill up user's root filesystem.

The problem isn't limited to one host; it happens on several hosts, but all are running AIX 5.3-09.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎05-25-2010 10:01 PM

You might check aix's error logs (use the errpt command) - usually a core dump is logged there, with as much information as AIX can figure out.

Often, figuring this kind of thing out would mean having to have:

  • a copy of the binary that hasn't been stripped
  • the source code
  • an AIX machine at the exact same level of libc and kernel
  • the 'full' core file (run "chdev -l sys0 -a fullcore=true") and reboot

In other words, you'll probably need to engage Splunk support.

You might do as well to just disable corefiles for splunk. The only way (for sure) that I know how to do it would be to move $SPLUNK_HOME/bin/splunk to $SPLUNK_HOME/bin/splunk_real and make a shell script to replace the splunk binary, something like:

#!/bin/ksh
ulimit -c 0  #disable core dumps
exec splunk_real $0

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎05-25-2010 10:01 PM

You might check aix's error logs (use the errpt command) - usually a core dump is logged there, with as much information as AIX can figure out.

Often, figuring this kind of thing out would mean having to have:

  • a copy of the binary that hasn't been stripped
  • the source code
  • an AIX machine at the exact same level of libc and kernel
  • the 'full' core file (run "chdev -l sys0 -a fullcore=true") and reboot

In other words, you'll probably need to engage Splunk support.

You might do as well to just disable corefiles for splunk. The only way (for sure) that I know how to do it would be to move $SPLUNK_HOME/bin/splunk to $SPLUNK_HOME/bin/splunk_real and make a shell script to replace the splunk binary, something like:

#!/bin/ksh
ulimit -c 0  #disable core dumps
exec splunk_real $0
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎06-01-2010 09:48 PM

no, it would not disable core drumps for all root processes. Again, I would strongly suggest getting Splunk support involved if you are getting core dumps regularly. My suggestion above was intended to be a temporary workaround to supress corefiles until Splunk support could figure out the root cause and fix it.

0 Karma
Reply
Solved! Jump to solution

zliu
Splunk Employee
Splunk Employee
‎06-01-2010 05:26 PM

will this script disable core dumps for all root processes?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...