Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrading Splunk from 6.4 to 6.5.1, why is the "search" command not working?

sivapuvvada
Path Finder
‎01-03-2017 03:40 PM

I have upgraded my Splunk version to 6.5.1 from 6.4. After this, I observed the "search" command is not working.
Is there any fix for this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sivapuvvada
Path Finder
‎01-05-2017 08:54 AM

I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .

Now the search command is working fine as expected without any issues .

Thank you for all your help guys .

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sivapuvvada
Path Finder
‎01-05-2017 08:54 AM

I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .

Now the search command is working fine as expected without any issues .

Thank you for all your help guys .

0 Karma
Reply
Solved! Jump to solution

noncon21
Engager
‎01-03-2017 05:46 PM

Sounds liked something I recently ran into after upgrading from 6.3 to 6.5.1. The fix was to clear cache and cookies in the browser and search took right off. However everything else with the exception of the search app was working for us, so given what you originally posted I am not sure if we're having the same issue. I worked mine out with support and apprantly this is a known bug that tends to happen when going through the upgrade process. Hope this helps.,

0 Karma
Reply
Solved! Jump to solution

sivapuvvada
Path Finder
‎01-04-2017 08:49 AM

I have used this query in the search :

index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status

Till here I am receiving the data but when i added search status=N it is not displaying any results .

I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎01-03-2017 04:26 PM

Hello. Are you saying all searches return nothing?

  1. if you are an admin you could look at $SPLUNK_HOME/var/log/splunk/splunkd.log for errors
  2. After your search.. pull down job -> inspect job. Did the job get distributed to indexers?
0 Karma
Reply
Solved! Jump to solution

sivapuvvada
Path Finder
‎01-04-2017 08:50 AM

I have used this query in the search :

index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status

Till here I am receiving the data but when i added search status=N it is not displaying any results .

I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...