- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: For some reason we cannot get answer from sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get an answer from search command in Splunk Enterprise?
Hi,
Splunk has been working for a long period without any trouble. When I changed settings yesterday (can't remember what I did) the search command dos not work as before (no answer).
If I go to settings - indexing _audit, _internal , _introspection, _telemtry, _history + main area all of them is disabled.
I also google, and it says that it perhaps has something to do identical id under db directory. We have same id on some files with .sentinel
example:
db_123_345_12
db_123_345_12.rbsentinel
If I run following command:
run netsat -an | grep 9997 we have many tcp session establised .
Have of course rebooted, restarted splunk server several times. It does not help much.
Thanks in advance. Hope someone can give me a hint.
Rgds
Geir
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to mention
When I open Data Summary it says "Waiting for results" but it never get/receive any data. Only Waiting for Results without ending.
Rgds
Geir
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gjhaaland ,
open a case To Splunk Support, it's the only way to have a quick answer.
ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Giuseppe,
Thanks again,
Yes, If I run search command and/or old reports we get no answer at all. The splunk gui is running, but we don't get any answer if we run search - index=*. Normally we will see a long listing with output.
I have not deleted any files. All I have done is some settings regarding field extraction. After a while I discovered that we did not receive any data at all. So I must be some connection between fields (enable/disable) and fields extraction.
Rgds
Geir
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gjhaaland,
if you run a search on _internal, did you have results?
have you any messages from Splunk?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gcusello
Thanks for the answer. No answer at all, even if I run “Usage Reporting Dashboard” the answer is empty. Since it work perfect yesterday I thinks/assume that some files are blocking stopping normal behavior .
If I restart splunkd I got following messages
1: Invalid key in stanza [admin_external:configure]in /home/splunk/etc/apps/TA-eStreamer/default/restmap.conf, line 7: python.version
2: your indexes and inputs configurations are not internally consistent. For more info run splunk btool -check –debug
3: Validating installed files against hashes from /home/splunk/splunk/7.1……..-x86_64manifest’
Problems were found, please review your files and more customization to local
Starting splunk aerver deamon (splunkd)
Done
[OK}
Rgds
Geir
If I run splunk btool -check –debug
I got following error (cut/paste errors)
No spec file for: /home/splunk/etc/apps/Splunk_CiscoSecuritySuite/local/css_views.co
No spec file for: /home/splunk/etc/apps/TA-eStreamer/local/encore.conf
No spec file for: /home/splunk/etc/apps/eStreamer/local/estreamer.conf
No spec file for: /home/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/css_views.conf
No spec file for: /home/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/eventgen.conf
No spec file for: /home/splunk/etc/apps/TA-eStreamer/default/encore.conf
Invalid key in stanza [admin_external:configure] in /home/splunk/etc/apps/TA-eStreamer/default/restmap.conf, line 7: python.version (value: python3).
No spec file for: /home/splunk/etc/apps/eStreamer/default/estreamer.conf
No spec file for: /home/splunk/etc/apps/firepower_dashboard/default/appsetup.conf
No spec file for: /home/splunk/etc/apps/firepower_dashboard/default/umbrella.conf
No spec file for: /home/splunk/etc/system/default/conf.conf
No spec file for: /home/splunk/etc/system/local/migration.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gjhaaland,
the error messages aren't relevant.
Let me better understan: the search doesn't run or you have always no results?
When you say that yesterday worked perfectly, are you meaning: that yesterday the searches run or that running today a search on yesterday data the are ok?
Probably the only solution is to opena a case to Splunk Support that can access your system (with you) and debug the situation.
Ciao.
Giuseppe
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
