Splunk Search

Search Returns Exit Code -2

alacercogitatus
SplunkTrust
SplunkTrust

Here's the situation. I have an international server. When trying to search it as a distributed peer, it exits with this message.

[REMOTE_WAN_HOST] Search process did not exit cleanly, exit_code=-2, description="exited with code -2". Please look in search.log for this peer in the Job Inspector for more info.

So I take a look in the peer's dispatch directory for the search log. I find this.


08-27-2013 00:56:51.884 INFO UserManager - Setting user context: USER
08-27-2013 00:56:51.884 WARN AuthorizationManager - Unknown role 'admin'
08-27-2013 00:56:51.884 WARN AuthorizationManager - Unknown role 'ess_admin'
08-27-2013 00:56:51.884 WARN AuthorizationManager - Unknown role 'ess_analyst'
08-27-2013 00:56:51.884 WARN AuthorizationManager - Unknown role 'ess_user'
08-27-2013 00:56:51.884 WARN AuthorizationManager - Unknown role 'power'
08-27-2013 00:56:51.884 WARN AuthorizationManager - Unknown role 'user'
08-27-2013 00:56:51.884 ERROR UserManagerPro - user="USER" had no roles
08-27-2013 00:56:51.884 ERROR UserManager - Error while setting user context: user="USER" had no roles
08-27-2013 00:56:51.884 INFO UserManager - Done setting user context: NULL -> NULL
08-27-2013 00:56:51.884 INFO UserManager - Unwound user context: NULL -> NULL
08-27-2013 00:56:51.884 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Application does not exist: search

All of these roles and the USER exist in exactly the same way as on the search head. I'm at a loss on why it's not working correctly.

Tags (3)

brod_geico
Path Finder

check this url, i had similar issues then i found version mismatch on SH peers.

http://answers.splunk.com/answers/192592/search-process-did-not-exit-cleanly-exit-code255-d.html#ans...

0 Karma

brod_geico
Path Finder

Few places you can check.
Search peers are running with inconsistency version.
Check search peers status .
ask user and that job/lookup table not had right permissions or not exist all over the places.

0 Karma

David
Splunk Employee
Splunk Employee

I had this same error... I tried a number of troubleshooting steps, but by the time I upped the debug level it randomly started working again (after failing for more than a day). I assume that timing is just coincidental. An upgrade to 6.0.1 didn't resolve it, and restarting the entire environment didn't resolve it. Also deleting and re-adding the search peer didn't resolve it. After the last restart, it still failed.. and then randomly begun working again.

0 Karma

aelliott
Motivator
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Hey..I am facing similar issue, were you able to resolved it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...