Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The search job terminated unexpectedly.

priyanka_231019
Explorer
‎03-17-2021 02:53 AM

Splunk internal logs: INFO StreamedSearch - Streamed search connection terminated

 

Splunk search:

index=oswinsec source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| multireport
[| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-30d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ]
[| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker ]
| stats count

 

The search was working fine until today.

Kindly suggest.

Labels (1)
Labels
0 Karma
Reply

priyanka_231019
Explorer
‎03-17-2021 07:06 AM

I did some digging at my end. Apparently, some issue with the search query itself. This query was working fine. The multireport is somehow now causing search to terminate. If I run the query in two parts as below, it is fine.

index=oswinsec source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-30d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) 

 

 

index=oswinsec source="*WinEventLog:Security" action=success
| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-17-2021 06:50 AM

It's possible the search was cancelled because your role used up all of its allowed resources.  Check the search log.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...