Installed Splunk 5.0.1 on Gentoo Linux (x64). Execute "/opt/splunk/bin/bloom" and get the error message:
/opt/splunk/bin/splunkd: error while loading shared libraries: libpcre.so.0: cannot open shared object file: No such file or directory
Manually added a symbol link from /usr/lib64/libpcre.so to /usr/lib64/libpcre.so.0 and execute bloom again. Get the error message:
/opt/splunk/bin/splunkd: error while loading shared libraries: /usr/lib64/libpcre.so.0: invalid ELF header
Is the error coming from the os library or the bloom utility?
We find the bloom utility can work fine if we use splunk cmd to execute it.
$SPLUNK_HOME/bin/splunk cmd bloom
The same libpcre.so.0 error occur when we execute btool utility directly on Gentoo Linux (x64). The above libpcre.so.0 error will not be triggered on Mac OS X.
We find the bloom utility can work fine if we use splunk cmd to execute it.
$SPLUNK_HOME/bin/splunk cmd bloom
The same libpcre.so.0 error occur when we execute btool utility directly on Gentoo Linux (x64). The above libpcre.so.0 error will not be triggered on Mac OS X.
Yes, btool is supported. As I said above, my answer wasn't directed at the error you were experiencing. Running commands with Splunk cmd just enables them to use the libraries included with Splunk. If they throw an error or not is irrelevant to if it is supported or buggy 🙂 In this case, the bloom command "executes" - but as per my post below, it creates duplicate buckets and doesn't actually work and so is unsupported. Btool should always be used and is encouraged! Its a great tool.
For your reference, the btool has the same situation. Execute btool directly come out the libpcre.so.0 error. Using splunk cmd to call btool works fine. So, the btool should be supported by splunk, right?
Its a big product and there are a lot of elements to it, I expect it was still either being tested or a bug was found after release with it. It is listed in the known issues that all customers read before installing, however, so it is at least well publicised.
Why this utility publish to customers if is unsupported?
Just to be clear, my post below was unrelated to your error. The bloom command is still unsupported, however it is called, as it is currently causing damage to bloom filters and should not be used.
Why are you trying to use the bloom utility? You shouldn't be trying to use this at the moment.
As per the known issues;
•The $SPLUNK_HOME/bin/bloom utility is unsupported and creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility. (SPL-50742)
If you have a particular problem, throw it up here and we'll see if theres another way to fix it or if its alright 🙂
Thanks, Drainy. We will ignore the bloom utility problem and use splunk fsck command.
you should be using fsck, this should repair any damage. http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/HowSplunkstoresindexes#Troubleshoot_your_buc...
We configure indexes.conf and put bloom filter in separate volume (a SSD to accelerate searching). How to rebuild the bloom filter once the volume has crashed without bloom utility?