Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how do I know if a search head restart did make my results incomplete?

MonkeyK
Builder
‎02-24-2018 09:28 AM

My admin team frequently needs restart our search heads while I have a long running query still running. When this happens, my search page shows the following message

Reading error while waiting for peer . This can be caused by the peer unexpectedly closing or resetting the connection. Search results might be incomplete! If the problem persists, confirm network connectivity between this instance and the peer, and review search.log and splunkd.log on the peer to check its activity.

The message notes that "results might be incomplete". Is there a way to tell if they actually are incomplete?

0 Karma
Reply

valiquet
Contributor
‎03-09-2018 02:24 AM

index=_internal sourcetype=scheduler OR sourcetype=splunkd user=youruser ... search for your search. Status should be completed or success

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 09:24 AM

That sounds like a task where the Network Datamodel from the Common Information Model might help, once your admins have accelerated it.

...and yes, frequent restarts because high availability sounds like we're missing a good chunk of the picture.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-24-2018 03:56 PM

That messages reads like an indexer (= search peer) was restarted, or at least connection was lost to it. If your search head was restarted, I'd expect the search job itself to stop.

That being said, I'd assume incorrect results.
The only scenario where the results would be complete is if that search peer was still searching for data when the connection was lost, but there was no more data to be found - unlikely.

I'd talk to the admin team about why they need restarts that frequently.
Additionally, many searches can be made to run faster through optimization. Feel free to ask a separate question with your search.

0 Karma
Reply

MonkeyK
Builder
‎02-25-2018 08:52 AM

Thanks Martin, I think that I have to trust my admin team on the needed frequency of restarts. They say that it is related to high availability, which seems counter intuitive to me since high-availability should mean that my queries run. So either I have to become an admin to counter the point, or accept the reasoning

Good idea on a separate question for my query. I suspect that it will just run long since it is summarizing billions of network traffic events. But always worth an ask.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...