Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

KV store troubleshooting tools

This topic discusses tools for viewing KV store status and its log files. It also discusses some proactive monitoring tools you can use in Splunk Enterprise.

KV store status

You can check the status of the KV store by using the command line, by making a REST API GET request, or by running the KV store health check in the monitoring console (see Access and customize health check in Monitoring Splunk Enterprise).

KV store status CLI command

Using the command line from any KV store member, in $SPLUNK_HOME/bin type:

./splunk show kvstore-status

See About the CLI for information about using the CLI in Splunk software.

KV store status REST endpoint

Using the REST API, you can use cURL to make a GET request:

curl -k -u user:pass https://<host>:<mPort>/services/kvstore/status

See Basic Concepts in the REST API User Manual for more information about the REST API.

KV store status definitions

The following is a list of possible values for status and replicationStatus and their definitions. For more information about abnormal statuses for your KV store members, check mongod.log and splunkd.log for errors and warnings.

KV store status Definition
starting
  • In the case of a standalone search head, this status usually switches to ready relatively quickly after synchronization of a list of defined collections, accelerated fields, and so on.
  • In the case of a search head cluster, this status switches to ready when the search head cluster is bootstrapped (after the search head cluster captain is elected) and the search head cluster captain propagates status to all search head cluster members.
disabled KV store is disabled in server.conf on this instance. If this member is a search head cluster member, its status remains disabled only if all other members of the search head cluster have KV store disabled.
ready KV store is ready for use.
failed Failed to bootstrap and join the search head cluster.
shuttingdown Splunk software has notified KV store about the shutting down procedure.
KV store replication status Definition
Startup Member is just starting, give it time.
KV store captain Member has been elected KV store captain.
Non-captain KV store member Healthy noncaptain member of KV store cluster.
Initial sync This member is resynchronizing data from one of the other KV store cluster members. If this happens too often or if this member is stuck in this state, check mongod.log and splunkd.log on this member, and verify connection to this member and connection speed.
Down Member has been stopped.
Removed Member has been removed from the KV store cluster, or is in the process of being removed.
Rollback / Recovering / Unknown status Member might have a problem. Check mongod.log and splunkd.log on this member.

Sample command-line response:

This member:
		                     date : Tue Jul 21 16:42:24 2016
		                  dateSec : 1466541744.143000
		                 disabled : 0
		                     guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91
		        oplogEndTimestamp : Tue Jul 21 16:41:12 2016
		     oplogEndTimestampSec : 1466541672.000000
		      oplogStartTimestamp : Tue Jul 21 16:34:55 2016
		   oplogStartTimestampSec : 1466541295.000000
		                     port : 8191
		               replicaSet : splunkrs
		        replicationStatus : KV store captain
		               standalone : 0
		                   status : ready

 Enabled KV store members:
	10.140.137.128:8191
		                     guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91
		              hostAndPort : 10.140.137.128:8191
	10.140.137.119:8191
		                     guid : 8756FA39-F207-4870-BC5D-C57BABE0ED18
		              hostAndPort : 10.140.137.119:8191
	10.140.136.112:8191
		                     guid : D6190F30-C59A-423Q-AB48-80B0012317V5
		              hostAndPort : 10.140.136.112:8191

 KV store members:
	10.140.137.128:8191
		            configVersion : 1
		             electionDate : Tue Jul 21 16:42:02 2016
		          electionDateSec : 1466541722.000000
		              hostAndPort : 10.140.134.161:8191
		               optimeDate : Tue Jul 21 16:41:12 2016
		            optimeDateSec : 1466541672.000000
		        replicationStatus : KV store captain
		                   uptime : 108
	10.140.137.119:8191
		            configVersion : 1
		              hostAndPort : 10.140.134.159:8191
		            lastHeartbeat : Tue Jul 21 16:42:22 2016
		        lastHeartbeatRecv : Tue Jul 21 16:42:22 2016
		     lastHeartbeatRecvSec : 1466541742.490000
		         lastHeartbeatSec : 1466541742.937000
		               optimeDate : Tue Jul 21 16:41:12 2016
		            optimeDateSec : 1466541672.000000
		                   pingMs : 0
		        replicationStatus : Non-captain KV store member
		                   uptime : 107
	10.140.136.112:8191
		            configVersion : -1
		              hostAndPort : 10.140.133.82:8191
		            lastHeartbeat : Tue Jul 21 16:42:22 2016
		        lastHeartbeatRecv : Tue Jul 21 16:42:00 2016
		     lastHeartbeatRecvSec : 1466541720.503000
		         lastHeartbeatSec : 1466541742.959000
		               optimeDate : ZERO_TIME
		            optimeDateSec : 0.000000
		                   pingMs : 0
		        replicationStatus : Down
		                   uptime : 0

KV store messages

The KV store logs error and warning messages in internal logs, including splunkd.log and mongod.log. These error messages post to the bulletin board in Splunk Web. See What Splunk software logs about itself for an overview of internal log files.

Recent KV store error messages also appear in the REST /services/messages endpoint. You can use cURL to make a GET request for the endpoint, as follows:

curl -k -u user:pass https://<host>:<mPort>/services/messages

For more information about introspection endpoints, see System endpoint descriptions in the REST API Reference Manual.

Monitor KV store performance

You can monitor your KV store performance through two views in the monitoring console. One view provides insight across your entire deployment. See KV store: Deployment in Monitoring Splunk Enterprise.

The instance-scoped view gives you detailed information about KV store operations on each search head. See KV store: Instance in Monitoring Splunk Enterprise.

PREVIOUS
Back up KV Store
  NEXT
Apps and add-ons

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0, 7.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters