It does look like I will have to open a TAC case,  I'll keep the thread updated.    

I've tried several creative ways of running mdsenv on the MLM's and they are not reliable.   Even ones that seem to correctly move between the domains when added at the CLI and work for a while, will stop working after a service stop and start,  mdsstop and start...etc.

Getting skyline to run mdsenv to switch to different domains, even for a moment, to run one command seems to be an issue.

Right now its broken again and I'm waiting till I get mdsenv to work consistently.   I think some of my variability was the fact that it wasn't switching domains correctly.    Sometimes not switching at all and sometimes erroring out on the command and not running the rest of the script.

Yeah, I just confirmed that running /etc/profile.d/CP.sh before /opt/CPotlpAgent/cs_data_handler_is.bash results in a non-working mdsenv, and running it after results in the rest of the script not working. This feels wildly kludgy. I made some changes, and this seems to be working for me:

#!/bin/bash
. /opt/CPotlpAgent/cs_data_handler_is.bash

#Grab list of MDS Domains from MDS Stat, Loop through them
mdsstat | grep CMA | cut -d"|" -f3 | while read cmaName; do
	#Have to export the CMA name so we can pass it to a subshell.
	export cmaName
	loggingInfo=$(bash -lic 'mdsenv "${cmaName}"; cpstat ls -f logging')
	#loop through cpstat, pulling each connected firewall and the log count
	<<<"${loggingInfo}" grep "Connected" | grep -v "Gateways" \
	| while read line; do
		set_ot_object new value "$(<<<"${line}" cut -d"|" -f5 | tr -d '[:space:]')"
		set_ot_object last label Firewall_Name "$(<<<"${line}" cut -d"|" -f2 | tr -d '[:space:]')"
	done
done

script_exit "Finished running" 0

The one-liner I posted above should find the Prometheus instance you're sending data to and ask it for all the values it has for the label Firewall_Name. The idea is to check where the problem is: if Prometheus has all the names, the problem is likely in Grafana.

I think we were posting to the thread at the same time,   I'll give it a try.

So this does work.   for a while.

I put this on 6 MLM's.    all of the gathered data for around 24 hours   +- 3 hours.     Then they just stopped.    restarting /opt/CPotelcol/CPotelcolCli.sh didn't make them come back and didn't generate a message in the logs.

However they all started this message about that time.

ts=2025-05-12T14:48:03.059Z caller=level.go:63 ts=2025-05-12T14:48:03.059Z caller=level.go:63 level=info msg="Api Status Collector: Command: api status Failed" TheCommand:apiexceededtheruntimethreshold=(MISSING)

I cant find that a major API command was run against them around that time that would have locked up the API service, but the API service is not happy on any of them.

The one MLM that I've been doing all my testing on is very broken now.    after a reboot, and no other changes, its back to giving me errors about "bash can't find the command"....   Its the exact some file that was working before...    (I got so paranoid as to restore from backup and MD5Hash the 2 files).    

So something with our work around is not stable long term.

I'll reboot some of the other log servers when I have a window and keep the thread updated.

What jumbo are you on?

Anything in /var/log/dump/usermode? Sounds like a process is crashing.

I'm on R81.20 jumbo 96

At least some of them had the lock file in the temp folder that I mentioned in the troubleshooting post....  ( forgot my own troubleshooting suggestions)
/var/log/cs_data_handler_is.bash.log

.....
Unable to acquire script lock: /tmp/cs_data_handler_is.bash.lock
....

Deleting and restarting services.

The times match up with when I'm backing up the logs from these MLM's.
The backup is a ssh in from a remote linux box and a rsync command.     
Maybe some conflict with spawning more than one bash shell?
CPU related or IO?  I wouldn't think so, these are 6000XL's and not super busy at that time of day.
I'll try an get some more data.
No crash dumps on any of them.

I also wouldn't expect this to be load-related. Once in the bad state, what do you get when you run 'api status' yourself?

What does $FWDIR/log/api.elg say?

The api acts weird on all my MLM's.   We don't run the API against them directly ever so I"m not sure what is normal.   but the API readiness tests always seem to fail.    So I'm pretty sure that is normal for these.   

api status, does come back with a full page of text after about 20 seconds, but with the status "API Stopped".

Yesterday I got 5 running again.    3 are still running ~24 hours later.    One stopped after about 3 hours, the other one after about 12 hours.    

Both the ones that stopped had the lock directory in /tmp/   but looking closer they also had a "storage" file in tmp from the time of the crash.

[Expert@****-mlm3:0]# ls -lh /tmp/cs*
-rw-r--r-- 1 admin root 12K May 14 06:15 /tmp/cs_data_handler_is.bash.storage.vP SVQ4

/tmp/cs_data_handler_is.bash.lock:
total 0
[Expert@***-mlm3:0]#

Not sure if this is a symptom of the issue or a cause?    My skyline VM is in the same datacenter as the two MLM's that crashed, so connectivity shouldn't be an issue.   Previously the local MLM stopped and the ones 1000 miles away stopped but not all at the same time.

So I"m not sure what to make of that.

We had a spike over night where 2 MLM's processed 30,000+ logs per second each for several mins and they continued to report afterwards so, as expected, probably not CPU.

This is a side project right now trying to balance some of the MLM load so I'm getting the "urgent" data I need for the most part with a bit of extra work restarting services, but I'd like to have this long term.    I'll keep poking at it.    

I'd like to see others running it to see if its something unique to my setup.

That's definitely not normal. On my MLMs, the readiness test passes. 'mgmt_cli -f json -r true show domains' shows my domains. I can't show objects from the domains, but I can show objects and rules from the Global domain, and can show objects from the MDS level (like administrators; the 'show domains' command technically runs in the MDS domain).

I would involve the TAC at this point. The API log should contain some information about the last call which worked and the first call which failed. One of those is probably breaking something.

The MLM's that I've rebooted have stayed up for more than 24 hours now.   The one MLM that I have not rebooted, crashed after about 16 hours with the lock file.

So I'll continue to watch this for a while.    Maybe a resource / memory leak.    

Time will tell.

Next week I'll have some time to spend on a TAC case.

After the MLM's were rebooted, the custom script has been far more stable.    The 'other' MLM's had been up for months and just had the good working copy of the script installed one time.

Once they were rebooted, they have been stable for 5 - 7 days now.   No idea why it took a full reboot to help with the stability

After reboot, the custom script has been stable now for ~3 weeks.   I"m not sure why it took a reboot to get it working correctly.   As I don't have a non working MLM any more getting to the bottom of that is not likely.

I'm not sure if we want to do a new thread with the script so its easier to find.   I updated the title to the thread so maybe it will pop up in some searches.

Thanks @Bob_Zimmerman  and @David_Evans for the nice short script. 
I am actually working on the same kind of customscript, but mine was much longer for the same output 🙈

I added 3 improvements to your scripts:

• additional label for clm to have the possibility to filter by clm
• additional filter for "Local Clients"
• label type "lograte" (just cosmetics)

Thanks a lot.
Looking forward to see the outcome of @David_Evans investigations.

#!/bin/bash
. /opt/CPotlpAgent/cs_data_handler_is.bash

#Grab list of MDS Domains from MDS Stat, Loop through them
mdsstat | grep CMA | cut -d"|" -f3 | while read cmaName; do
	#Have to export the CMA name so we can pass it to a subshell.
	export cmaName
	loggingInfo=$(bash -lic 'mdsenv "${cmaName}"; cpstat ls -f logging')
	#loop through cpstat, pulling each connected firewall and the log count
	<<<"${loggingInfo}" grep "Connected" | grep -Ev "Gateways|Local Clients" \
	| while read line; do
		set_ot_object new value "$(<<<"${line}" cut -d"|" -f5 | tr -d '[:space:]')"
		set_ot_object last label clm "${cmaName}"
		set_ot_object last label Firewall_Name "$(<<<"${line}" cut -d"|" -f2 | tr -d '[:space:]')"
		set_ot_object last label type "lograte"
	done
done

script_exit "Finished running" 0

Regards
Sven

I would be delighted if this knowledge could be included in a sk article.