Installation

Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Wobe
Explorer

After upgrading from 7.0.3 to 7.1.0 longer searches will be auto-finalized!
So most results will not be correct because not all events will be used for a given timerange.

Example: (All time search, no config changes in disk quotas done)
| search source "unitstatus" => 1.099.140 events with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| search source "unitstatus" | stats count => 1.542.614 eventcount with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| metadata type=sources index=* | where source="unitstatus" | fields + totalCount => 2.671.141 count without message

This happens with ALL searches, i was able to test. The diskquota in the FREE version is promised to be not limited.
It happens on every Upgradeinstallation with V7.1.0.

What did i do wrong?

Tags (2)
1 Solution

Wobe
Explorer

Tested the issue with V7.1.2.
It seems to be fixed.

I'm happy. 🙂

View solution in original post

justodaniel
Path Finder

7.1.2 update works for me too. 🙂

0 Karma

Wobe
Explorer

Tested the issue with V7.1.2.
It seems to be fixed.

I'm happy. 🙂

splunkLPN
Path Finder

7.1.2 update works for me too. 🙂

thank's !

0 Karma

worshamn
Contributor

This appears to be fixed as of 7.1.2 as it now works in the situation I was having a problem with.

0 Karma

schultemn
Engager

7.1.2 is also working again for me.

0 Karma

matejkaj
Engager

Downgrading from 7.1.1 to 7.0.4 fixed this issue for me.

0 Karma

Wobe
Explorer

Yes, the problem is with 7.1.0 and 7.1.1 not with 7.0.X.

I wonder why there is no quick fix yet because the 7.1.0 and 7.1.1 are completely unusable (at least for me).

Its not an issue with a seldom used feature but with ALL searches (with many events) as described above.
Still hoping for a solution.....

0 Karma

cgoudie
New Member

@xpac This is definitely still a problem in Splunk 7.1.1

It happens on all searches with enough time on them, not just realtime.

Please fix

0 Karma

xpac
SplunkTrust
SplunkTrust

I don't do fixes, I just summarized that this behavior has been noticed multiple times and that $SplunkPeople have confirmed that this shouldn't happen. I don't know any details about a fix, sorry.

0 Karma

splunkLPN
Path Finder

uninstall and back to 6.6.7 with an enterprise dev licence solve the problem.
But installing 7.1 or upgrading to 7.1 open the door to the bug.
I hope 7.2 or more will be a solution 🙂

0 Karma

Wobe
Explorer

Version 7.0.3 did also not show the problem. May be it has to do with the usermanagement extensions, they implemented in 7.1

0 Karma

kjetilho
Engager

Still an issue in the new 7.1.1 version. This is very disappointing!

0 Karma

splunkLPN
Path Finder

I tried to uninstal and reinstal everything (no more opt/splunk directory). and... I still have the error.

0 Karma

Wobe
Explorer

So this happens also with a fresh install using the Enterprise trial license?
Not good.
It probably should become a highlighted issue.

0 Karma

splunkLPN
Path Finder

trial converted in dev for my case.
But my old free licence is recreated during the instal. I don't know where is the information that I need to erase to do a real fresh start on Ubuntu.

0 Karma

splunkLPN
Path Finder

another particular case in my lab machine is that for safety reason it's not connected to the net. Is it youre case too ? I've made the update using an USB key.

0 Karma

Wobe
Explorer

Mine is also not connected to the internet. Should not matter.

0 Karma

splunkLPN
Path Finder

I've the same bug coming from a 6 free version with 3 violations to a 7.1 developper license.

The hash of my free license is :
hash FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
is_unlimited False
label Splunk Free

I can't remove it.
Is it the same for you ?

Have you try to set up an authorize.conf file ?

*1.   [role_Administrator]
2.    srchDiskQuota = 1000000*

I have right problem on my lab machine for the moment and can't test this fix.

0 Karma

Wobe
Explorer

I have the same hash as you.

I've tested a similar quota configuration before, retested yours now and got no success.

I think it is a very severe issue. Searches with many events simply deliver incorrect results regardless of quotas or timerange settings!

0 Karma

schultemn
Engager

I don't have much helpful to add, other than to confirm this issue is present in one of my environments too.

Log shows (trimmed):

05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt_1526334389.764 Search finalized.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt_1526334389.764 Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - State changed to FINALIZING due to: Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:41.917 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='rt_1526334389.764', username='admin')

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...