07-14-2017 08:31 AM
I need some help understanding the sudden_death behavior with a MineMeld miner/prototype.
From the documentation[1], I understand that sudden_death is designed to immediately age out indicators when they disappear from a feed.
Is it comparing the current indicator list to the latest run of the feed, recording indicators in the current list but no longer in the feed and then setting to age out at the next age out? If so, what happens if the indicator appears in a subsequent run of the feed? Will it be added back to the list of indicators, or is excluded because it previously disappeared?
Thanks for your help understanding.
[1] - https://live.paloaltonetworks.com/t5/MineMeld-Articles/Configuring-nodes/ta-p/77185
07-14-2017 12:44 PM
If you have it set to sudden_death:true and the run is missing an indicator currently in the miner then the EMIT_WITHDRAW is immeditely issued and the indicator is removed from the miner.
If an IP is listed on the next pull then it will be given a new age_out run number. The process continues until the indicator is no longer listed in the feed that the miner node is looking at.
Generally I would say that sudden_death and age_out are not usually used in conjunction with each other, or at the very least it's ineffective to use both depending on what you are doing. If you have age_out:3d for example the indicator is going to be removed after 3 days but if it's still in the listing it will just get added to the list of indicators again. If you have sudden_death:true then the indicator will be removed whenever the miner completes a run and the indicator is now missing. If you have both enabled essentially you only have a sudden_death configuration because the listing is just going to get readded until it gets removed from the list that you are polling.
07-14-2017 01:14 PM
Thanks, that seems logical. That moves me on to my next troubleshooting step.
I created a separate thread for this[1], but are you aware of any way to debug a specific miner?
I'd like to see the command that is running when a particular miner is connecting so that I can verify that it isn't the miner that is contributing to what appears to be a much smaller number of indicators than expected the miner with sudden_death:true.
[1] - https://live.paloaltonetworks.com/t5/General-Topics/MineMeld-debugging-miner/m-p/166625
07-16-2017 04:53 PM
I don't know a way to actually debug a miner node in the way that you are asking, if you could post the actual configuration that you are using I could take a look at it and see if anything sticks out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
