Splunk Enterprise

Upgraded from 7.0.5 to 7.3.3 and now get TsidxStats ERRORs in splunkd.log

kmarciniak
Path Finder

After upgrading to 7.3.3 from 7.0.5 these two log ERRORs are new

ERROR 2019-12-10 08:01:19.755 security TsidxStats Missing search clause after 'WHERE' keyword 1
ERROR 2019-12-10 08:01:46.309 security TsidxStats Wildcards (*) are not supported in aggregate fields 1

I found a similar log message where it mentions this is a bug.
https://answers.splunk.com/answers/593866/how-to-resolve-this-error-error-in-tsidxstats-wher-1.html

Has anyone seen these two log messages? I'm trying to gauge the significance before upgrading our production environment.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

IIRC those error generated by scheduled search Audit - Dataset Relation from App SA-Utils which runs at every 30 minutes and in backend it is running contentinfo_rest_handler.py

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Are you running Splunk Enterprise Security ?

0 Karma

kmarciniak
Path Finder

yes, we also upgraded Enterprise Security from 5.0.1 to 5.3.1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...