What would cause longer time span queries to auto ...

brianhunter99 · ‎11-20-2019

We've had a standalone Splunk Enterprise 7.2.7 running for some time. There was a need to retire the old hosting server. So, we provisioned another RHEL6 server, the same as the existing server, installed Splunk Enterprise 7.2.7 and copied the Splunk install directory from the old server over the top of the install location on the new server. The basic application functionality appears to be ok, but queries spanning anything but a short length of time are auto-closing. I can't say that queries don't work at all, as described in the following examples.

Basic Example:
In the Splunk Enterprise - Resource Usage - Historical Charts - Memory, I can get a chart to display for 15 minutes and 60 minutes, but for a time range of the last four hours no data is displayed and it indicates auto close.

Another Example:
If I do a search for all events occurring the current month, it seems to start, but then stops on the first day, and there's the indication that it was auto-closed. The query results section of the display indicates that a couple thousand events were found to match, but it doesn't go any further.

What would cause longer time span queries to auto close after data is migrated to a new host?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk