Hi there,
I was just looking through our splunkd logs, and I notice multiple errors for the following:
<dateTime> ERROR SearchOperator:copyresults - You must provide a search id.
I couldn't really find much on splunkbase, so I turned up the logging for the copyresults
command, and I can now see the following as an example:
INFO SearchOperator:copyresults - mapped lookup name=system_uptime_tracker to fn=C:\Program Files\Splunk\etc\apps/SA-EndpointProtection/lookups/system_uptime_tracker.csv
INFO SearchOperator:copyresults - copy results.csv.gz to C:\Program Files\Splunk\etc\apps\SA-EndpointProtection\lookups\system_uptime_tracker.csv, success=1
INFO ExecProcessor - Ran script: python "C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\bin\notable_owners.py", took 2168.4 milliseconds to run, 0 bytes read
ERROR SearchOperator:copyresults - You must provide a search id.
ERROR SearchOperator:copyresults - You must provide a search id.
Does anyone have any thoughts on this? I am seeing the events for other apps as well.
Thanks in advance,
SplunkFu
I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.
I just upgraded to splunk 5.0.3 and I do have one instance of this error with a time stamp of 10 minutes ago and I performed the upgrade well over an hour ago. I'll chase it down, but I wouldn't say the issue is resolved with the most recent upgrade.
What version of ES and Splunk you are on?
I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.
Thanks, for the response.
We are planning our upgrade at the moment, so I will this to the back of my mind.