KV store troubleshooting tools
This topic discusses tools for viewing KV store status and its log files. It also discusses some monitoring tools that you can use in Splunk Enterprise.
Check KV store status
You can check the status of the KV store in the following ways:
- Use the command line.
- Make a REST API GET request.
- Run the KV store health check in the monitoring console. See Access and customize health check in Monitoring Splunk Enterprise.
KV store status CLI command
On the command line from any KV store member, in $SPLUNK_HOME/bin type the following command:
./splunk show kvstore-status
See About the CLI for information about using the CLI in Splunk software.
KV store status REST endpoint
Use cURL to make a GET request with the REST API:
curl -k -u user:pass https://<host>:<mPort>/services/kvstore/status
See Basic Concepts in the REST API User Manual for more information about the REST API.
KV store status definitions
The following is a list of possible values for status and replicationStatus and their definitions. For more information about abnormal statuses for your KV store members, check mongod.log and splunkd.log for errors and warnings.
| KV store status | Definition |
|---|---|
| starting |
|
| disabled | KV store is disabled in server.conf on this instance. If this member is a search head cluster member, its status remains disabled only if all other members of the search head cluster have KV store disabled. |
| ready | KV store is ready for use. |
| failed | Failed to bootstrap and join the search head cluster. |
| shuttingdown | Splunk software has notified KV store about the shutting down procedure. |
| KV store replication status | Definition |
|---|---|
| Startup | Member is starting. |
| KV store captain | Member is the elected KV store captain. |
| Non-captain KV store member | Healthy noncaptain member of KV store cluster. |
| Initial sync | This member is resynchronizing data from one of the other KV store cluster members. If this happens often, or if this member remains in this state, check mongod.log and splunkd.log on this member, and verify connection to this member and connection speed. |
| Down | Member is stopped. |
| Removed | Member is removed from the KV store cluster, or is in the process of being removed. |
| Rollback / Recovering / Unknown status | Member might have a problem. Check mongod.log and splunkd.log on this member. |
Sample command-line response:
This member:
date : Tue Jul 21 16:42:24 2016
dateSec : 1466541744.143000
disabled : 0
guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91
oplogEndTimestamp : Tue Jul 21 16:41:12 2016
oplogEndTimestampSec : 1466541672.000000
oplogStartTimestamp : Tue Jul 21 16:34:55 2016
oplogStartTimestampSec : 1466541295.000000
port : 8191
replicaSet : splunkrs
replicationStatus : KV store captain
standalone : 0
status : ready
Enabled KV store members:
10.140.137.128:8191
guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91
hostAndPort : 10.140.137.128:8191
10.140.137.119:8191
guid : 8756FA39-F207-4870-BC5D-C57BABE0ED18
hostAndPort : 10.140.137.119:8191
10.140.136.112:8191
guid : D6190F30-C59A-423Q-AB48-80B0012317V5
hostAndPort : 10.140.136.112:8191
KV store members:
10.140.137.128:8191
configVersion : 1
electionDate : Tue Jul 21 16:42:02 2016
electionDateSec : 1466541722.000000
hostAndPort : 10.140.134.161:8191
optimeDate : Tue Jul 21 16:41:12 2016
optimeDateSec : 1466541672.000000
replicationStatus : KV store captain
uptime : 108
10.140.137.119:8191
configVersion : 1
hostAndPort : 10.140.134.159:8191
lastHeartbeat : Tue Jul 21 16:42:22 2016
lastHeartbeatRecv : Tue Jul 21 16:42:22 2016
lastHeartbeatRecvSec : 1466541742.490000
lastHeartbeatSec : 1466541742.937000
optimeDate : Tue Jul 21 16:41:12 2016
optimeDateSec : 1466541672.000000
pingMs : 0
replicationStatus : Non-captain KV store member
uptime : 107
10.140.136.112:8191
configVersion : -1
hostAndPort : 10.140.133.82:8191
lastHeartbeat : Tue Jul 21 16:42:22 2016
lastHeartbeatRecv : Tue Jul 21 16:42:00 2016
lastHeartbeatRecvSec : 1466541720.503000
lastHeartbeatSec : 1466541742.959000
optimeDate : ZERO_TIME
optimeDateSec : 0.000000
pingMs : 0
replicationStatus : Down
uptime : 0
KV store messages
The KV store logs error and warning messages in internal logs, including splunkd.log and mongod.log. These error messages post to the bulletin board in Splunk Web. See What Splunk software logs about itself for an overview of internal log files.
Recent KV store error messages also appear in the REST /services/messages endpoint. You can use cURL to make a GET request for the endpoint, as follows:
curl -k -u user:pass https://<host>:<mPort>/services/messages
For more information about introspection endpoints, see System endpoint descriptions in the REST API Reference Manual.
Updating the IP address of a KV store server can require a resync
If you update the IP address of a KV store server, you might receive the following error in mongod.log:
Did not find local replica set configuration document at startup; NoMatchingDocument
Did not find replica set configuration document in local.system.replset
To reconfigure the cluster to pick up the new IP address, resync to force the cluster configuration to refresh:
splunk resync shcluster-replicated-config
A manual resync with this command overwrites any local changes on that KV store server. For more information about manually resyncing a cluster member, see Why a recovering member might need to resync manually in the Distributed Search manual.
For more information about resyncing the KV store, see Resync the KV store.
Monitor KV store performance
You can monitor your KV store performance through two views in the monitoring console. The KV store: Deployment dashboard provides information aggregated across all KV stores in your Splunk Enterprise deployment. The KV store: Instance dashboard shows performance information about a single Splunk Enterprise instance running the KV store. See KV store dashboards in Monitoring Splunk Enterprise.