Splunk internal logs: INFO StreamedSearch - Streamed search connection terminated
Splunk search:
index=oswinsec source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| multireport
[| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-30d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ]
[| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker ]
| stats count
The search was working fine until today.
Kindly suggest.
I did some digging at my end. Apparently, some issue with the search query itself. This query was working fine. The multireport is somehow now causing search to terminate. If I run the query in two parts as below, it is fine.
index=oswinsec source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-30d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest)
index=oswinsec source="*WinEventLog:Security" action=success
| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker
It's possible the search was cancelled because your role used up all of its allowed resources. Check the search log.