KV store troubleshooting tools
This topic discusses tools for viewing KV store status and its log files. It also discusses some proactive monitoring tools you can use in Splunk Enterprise.
KV store status
You can check the status of the KV store by using the command line or by making a REST API GET request.
KV store status CLI command
Using the command line from any KV store member, in
./splunk show kvstore-status. See About the CLI for information about using the CLI in Splunk software.
KV store status REST endpoint
Using the REST API, you can use cURL to make a GET request:
curl -k -u user:pass https://<host>:<mPort>/services/server/info
See Basic Concepts in the REST API User Manual for more information about the REST API.
KV store status definitions
The following is a list of possible values for
replicationStatus and their definitions.
|KV store status||Definition|
|disabled||KV store is disabled in server.conf on this instance. If this member is a search head cluster member, its status remains disabled only if all other members of the search head cluster have KV store disabled.|
|ready||KV store is ready for use.|
|failed||Failed to bootstrap and join the search head cluster. For more information, check mongod.log and splunkd.log for errors.|
|shuttingdown||Splunk software has notified KV store about the shutting down procedure.|
|KV store replication status||Definition|
|Startup||Member is just starting, give it time.|
|KV store captain||Member has been elected KV store captain.|
|Non-captain KV store member||Healthy noncaptain member of KV store cluster.|
|Initial sync||This member is resynchronizing data from one of the other KV store cluster members. If this happens too often or if this member is stuck in this state, check mongod.log and splunkd.log on this member, and verify connection to this member and connection speed.|
|Down||Member has been stopped.|
|Removed||Member has been removed from the KV store cluster, or is in the process of being removed.|
|Rollback / Recovering / Unknown status||Member might have a problem. Check mongod.log and splunkd.log on this member.|
Sample command-line response:
This member: date : Tue Jul 21 16:42:24 2016 dateSec : 1466541744.143000 disabled : 0 guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91 oplogEndTimestamp : Tue Jul 21 16:41:12 2016 oplogEndTimestampSec : 1466541672.000000 oplogStartTimestamp : Tue Jul 21 16:34:55 2016 oplogStartTimestampSec : 1466541295.000000 port : 8191 replicaSet : splunkrs replicationStatus : KV store captain standalone : 0 status : ready Enabled KV store members: 10.140.137.128:8191 guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91 hostAndPort : 10.140.137.128:8191 10.140.137.119:8191 guid : 8756FA39-F207-4870-BC5D-C57BABE0ED18 hostAndPort : 10.140.137.119:8191 10.140.136.112:8191 guid : D6190F30-C59A-423Q-AB48-80B0012317V5 hostAndPort : 10.140.136.112:8191 KV store members: 10.140.137.128:8191 configVersion : 1 electionDate : Tue Jul 21 16:42:02 2016 electionDateSec : 1466541722.000000 hostAndPort : 10.140.134.161:8191 optimeDate : Tue Jul 21 16:41:12 2016 optimeDateSec : 1466541672.000000 replicationStatus : KV store captain uptime : 108 10.140.137.119:8191 configVersion : 1 hostAndPort : 10.140.134.159:8191 lastHeartbeat : Tue Jul 21 16:42:22 2016 lastHeartbeatRecv : Tue Jul 21 16:42:22 2016 lastHeartbeatRecvSec : 1466541742.490000 lastHeartbeatSec : 1466541742.937000 optimeDate : Tue Jul 21 16:41:12 2016 optimeDateSec : 1466541672.000000 pingMs : 0 replicationStatus : Non-captain KV store member uptime : 107 10.140.136.112:8191 configVersion : -1 hostAndPort : 10.140.133.82:8191 lastHeartbeat : Tue Jul 21 16:42:22 2016 lastHeartbeatRecv : Tue Jul 21 16:42:00 2016 lastHeartbeatRecvSec : 1466541720.503000 lastHeartbeatSec : 1466541742.959000 optimeDate : ZERO_TIME optimeDateSec : 0.000000 pingMs : 0 replicationStatus : Down uptime : 0
KV store messages
The KV store logs error and warning messages in internal logs, including splunkd.log and mongod.log. These error messages post to the bulletin board in Splunk Web. See What Splunk software logs about itself for an overview of internal log files.
Recent KV store error messages also appear in the REST
/services/messages endpoint. You can use cURL to make a GET request for the endpoint, as follows:
curl -k -u user:pass https://<host>:<mPort>/services/messages
For more information about introspection endpoints, see System endpoint descriptions in the REST API Reference Manual.
Monitor KV store performance
You can monitor your KV store performance through two views in the monitoring console. One view provides insight across your entire deployment. See KV store: Deployment in Monitoring Splunk Enterprise.
The instance-scoped view gives you detailed information about KV store operations on each search head. See KV store: Instance in Monitoring Splunk Enterprise.
Back up KV store
Apps and add-ons
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10