Solved: transaction: keeporphans error after 4.3 upgrade?

twinspop · ‎01-12-2012

This search works without issue in 4.2.4:

sourcetype="teledebug" | transaction keeporphans=1 host source startswith=ANI endswith=onhook

In 4.3 it appears to work, but it returns an error in red atop the results:

[splunk1] Streamed search execute failed because: Error in 'transam' command: Invalid argument: 'keeporphans=1'

Anyone else? Known bug?

EDIT: the error is coming from one of my 4.2.3 indexers. Weird. Any ideas? I'll upgrade asap and report back if it fixes the problem.

Drainy · ‎01-12-2012

http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Transaction

Keeporphans was introduced in version 4.2.4 so 4.2.3 indexers trying to run that search will fallover I am afraid, I think it is keepevicted or something similar.

View solution in original post

Drainy · ‎01-12-2012

http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Transaction

Keeporphans was introduced in version 4.2.4 so 4.2.3 indexers trying to run that search will fallover I am afraid, I think it is keepevicted or something similar.

twinspop · ‎01-12-2012

Multiple failures here. I didn't even realize I had a 4.2.3 indexer still. And then failed to read the error message correctly. Doh! Thanks.

transaction: keeporphans error after 4.3 upgrade?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?