https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569975#M10262 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194646">@lukasmecir</a>, I think you should raise a support case for this issue.&nbsp;</P><P><SPAN>In fixed issues for Splunk 8.1.2, I found this promising note.</SPAN><BR /><BR /><EM>2021-01-29 SPL-198149, SPL-199358 KVStore lookup indexing leads to slow search performance and intermittent errors in searches.</EM></P><P>See here&nbsp;<SPAN><A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/Fixedissues#Highlighted_issues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/Fixedissues#Highlighted_issues</A></SPAN></P><P><SPAN>but in 8.2.2&nbsp;</SPAN></P><P><SPAN><EM>2021-05-21 SPL-206067 With large KVstore temporal lookups that are replicated to indexers, turning ON enable_splunkd_kv_lookup_indexing may lead to indexer crash</EM><BR /></SPAN></P><P><SPAN><A href="https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/KnownIssues#Distributed_search_and_search_head_clustering_issues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/KnownIssues#Distributed_search_and_search_head_clustering_issues</A></SPAN></P><P><SPAN>So please raise a support case and get the SME's view on how best to address this.</SPAN></P><P><SPAN>Cheers</SPAN></P> Thu, 07 Oct 2021 03:43:10 GMT jamesmurphy_spl 2021-10-07T03:43:10Z https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569878#M10251 <P>Hi, I would like to ask for help with following problem:<BR />We have SH cluster (3 nodes) and IDX cluster (3 nodes). We upgraded it from 8.0.9 to 8.1.6 because of EOS of 8.0 version. Everything looks fine, except one thing - sometimes this happens:<BR />I run a search. The search starts, but after a while it stucks (on the line below the place for entering the SPL query, the number of events stops) and after cca 5 minutes the search ends with an error message "Streamed search execute failed because: Error in 'lookup' command: Failed to re-open lookup file: '/srv/app/int/secmon/splunk/var/run/searchpeers/08270BDA-BE03-4A78-8C6C-95A9CE10BB8D-1633508003/kvstore_s_SA-IdeRjww0FotymhlCIaS1cqkc05a_assetsXy0Y9f6F5lMW4rOy8KLC@P22'"<BR />It happens completely randomly, does not matter what data I search for.<BR />Sometimes this message is generated by only 1 IDX node, sometimes by 2, sometimes by all 3 nodes in IDX cluster.<BR />Error message is always exactly the same (except the part "1633508003", which is time of search).<BR />Sometimes I get partial results (some events returned), sometimes not (0 events returned).<BR />Before upgrade there was no message like this. Could someone help with this? Is it related to the upgrade? And how to fix it? I tried to search through Splunk Community, google around, but did not find anything useful... Thanks in advance.</P><P>Lukas Mecir</P> Wed, 06 Oct 2021 13:04:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569878#M10251 lukasmecir 2021-10-06T13:04:29Z https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569975#M10262 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194646">@lukasmecir</a>, I think you should raise a support case for this issue.&nbsp;</P><P><SPAN>In fixed issues for Splunk 8.1.2, I found this promising note.</SPAN><BR /><BR /><EM>2021-01-29 SPL-198149, SPL-199358 KVStore lookup indexing leads to slow search performance and intermittent errors in searches.</EM></P><P>See here&nbsp;<SPAN><A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/Fixedissues#Highlighted_issues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/Fixedissues#Highlighted_issues</A></SPAN></P><P><SPAN>but in 8.2.2&nbsp;</SPAN></P><P><SPAN><EM>2021-05-21 SPL-206067 With large KVstore temporal lookups that are replicated to indexers, turning ON enable_splunkd_kv_lookup_indexing may lead to indexer crash</EM><BR /></SPAN></P><P><SPAN><A href="https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/KnownIssues#Distributed_search_and_search_head_clustering_issues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/KnownIssues#Distributed_search_and_search_head_clustering_issues</A></SPAN></P><P><SPAN>So please raise a support case and get the SME's view on how best to address this.</SPAN></P><P><SPAN>Cheers</SPAN></P> Thu, 07 Oct 2021 03:43:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569975#M10262 jamesmurphy_spl 2021-10-07T03:43:10Z https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569996#M10263 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/31672">@jamesmurphy_spl</a>&nbsp;, thanks for reply. I found the same info you mention in Splunk 8.1.2 fixed issues and it attracted me too. <EM>SPL-206067</EM> probably is not the reason, because&nbsp;<EM>enable_splunkd_kv_lookup_indexing </EM>is set to<EM> false </EM>in our&nbsp; searchpeers.</P><P>Anyway, I raised support case and we'll see...</P><P>Cheers</P> Thu, 07 Oct 2021 07:43:49 GMT https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569996#M10263 lukasmecir 2021-10-07T07:43:49Z https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/570054#M10277 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194646">@lukasmecir</a>&nbsp;</P><P>I was referring to setting the value to true in the limits.conf file. See detail</P><LI-CODE lang="markup">KVStore lookup indexing leads to slow search performance and intermittent errors in searches. In Splunk Enterprise version 8.1.2, if you encounter this problem change the enable_splunkd_kv_lookup_indexing parameter to true in the [lookup] stanza of limits.conf in your $SPLUNK_HOME/etc/system/local directory on your search peers.</LI-CODE><P>but it's perfectly good that you've raised a support case. Fingers crossed you get resolution my friend.</P><P>&nbsp;</P><P>Best&nbsp;</P><P>James</P> Thu, 07 Oct 2021 12:37:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/570054#M10277 jamesmurphy_spl 2021-10-07T12:37:55Z https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/571634#M10410 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194646">@lukasmecir</a>&nbsp;</P><P>Have you already got a answer from splunk support? How could you fix this issue?</P><P>Thanks and regards</P> Thu, 21 Oct 2021 07:57:20 GMT https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/571634#M10410 urbach 2021-10-21T07:57:20Z https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/621967#M14603 <P>Please try increasing&nbsp;<SPAN>max_memtable_bytes in limits.conf to higher than default i.e., 25 MB to at least 50MB or more.</SPAN></P> Thu, 24 Nov 2022 09:29:49 GMT https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/621967#M14603 amaithani 2022-11-24T09:29:49Z