Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Internal Log Errors - copyresults

SplunkFu
Path Finder
‎04-11-2013 06:57 AM

Hi there,

I was just looking through our splunkd logs, and I notice multiple errors for the following:

<dateTime> ERROR SearchOperator:copyresults - You must provide a search id.

I couldn't really find much on splunkbase, so I turned up the logging for the copyresults command, and I can now see the following as an example:

INFO  SearchOperator:copyresults - mapped lookup name=system_uptime_tracker to fn=C:\Program Files\Splunk\etc\apps/SA-EndpointProtection/lookups/system_uptime_tracker.csv

INFO  SearchOperator:copyresults - copy results.csv.gz to C:\Program Files\Splunk\etc\apps\SA-EndpointProtection\lookups\system_uptime_tracker.csv, success=1

INFO  ExecProcessor - Ran script: python "C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\bin\notable_owners.py", took 2168.4 milliseconds to run, 0 bytes read

ERROR SearchOperator:copyresults - You must provide a search id.

ERROR SearchOperator:copyresults - You must provide a search id.

Does anyone have any thoughts on this? I am seeing the events for other apps as well.

Thanks in advance,

SplunkFu

Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎04-11-2013 02:14 PM

I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.

View solution in original post

Reply
Solved! Jump to solution

tskinnerivsec
Contributor
‎06-25-2013 04:01 PM

I just upgraded to splunk 5.0.3 and I do have one instance of this error with a time stamp of 10 minutes ago and I performed the upgrade well over an hour ago. I'll chase it down, but I wouldn't say the issue is resolved with the most recent upgrade.

0 Karma
Reply
Solved! Jump to solution

LukeMurphey
Champion
‎04-11-2013 02:14 PM

What version of ES and Splunk you are on?

0 Karma
Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎04-11-2013 02:14 PM

I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.

Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎04-22-2013 12:50 AM

Thanks, for the response.

We are planning our upgrade at the moment, so I will this to the back of my mind.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...