https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447857#M15741 <P>That's just a wild guess: Are you using Enterprise Security? And on Windows?</P> <P>Skalli</P> Wed, 26 Jun 2019 09:03:48 GMT skalliger 2019-06-26T09:03:48Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447853#M15737 <P>Every other day, we are getting following error on the internal index. Nearly 65,000 messages are generated for less than 15mins. What does this error actually mean?</P> <PRE><CODE>_WARN SHCFunctions - alert csv wrong action csv = key,expire,ACTION,MD5,"__mv_key","__mv_expire","__mv_ACTION","__mv_MD5"\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n"","","","",,,,\n_ </CODE></PRE> Mon, 24 Jun 2019 21:42:43 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447853#M15737 spectrum2035 2019-06-24T21:42:43Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447854#M15738 <P>I've never seen that logging category and I don't see <CODE>SHCFunctions</CODE> in the <CODE>log.cfg</CODE> either. Is that some custom app that logs into your _internal index?</P> <P>Skalli</P> Tue, 25 Jun 2019 19:01:31 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447854#M15738 skalliger 2019-06-25T19:01:31Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447855#M15739 <P>@spectrum2035<BR /> Only the error does not give much info. Can you try to add some more info about the error ?<BR /> I am guessing if SHC means Search Head Cluster. Please check if you are able to find any errors/warnings in Monitoring Console on your search head dashboards and any warnings on General Health checks</P> Tue, 25 Jun 2019 20:20:24 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447855#M15739 amitm05 2019-06-25T20:20:24Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447856#M15740 <P>I did check the general health status of the SHC in DMC and couldnt find anything alarming...</P> <P>Following are the 4 logs which was indexed just before the event happened....</P> <P>I ACCESS [conn47] Successfully authenticated as principal __system on local<BR /> I NETWORK [thread1] connection accepted from 10.10.10.3:50374 #47 (23 connections now open)<BR /> 127.0.0.1 - splunk-system-user [25/Jun/2019:16:16:04.090 +0100] "GET /services/data/inputs/threatlist?output_mode=json&amp;search=disabled%3D%22false%22 HTTP/1.0" 200 41063 - - - 92ms<BR /> I ACCESS [conn20] Successfully authenticated as principal __system on local</P> <P>If I look back to the earlier one's i have license usage events OR StatusMgr related events.. so there is no specific pattern..</P> Wed, 30 Sep 2020 01:03:21 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447856#M15740 spectrum2035 2020-09-30T01:03:21Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447857#M15741 <P>That's just a wild guess: Are you using Enterprise Security? And on Windows?</P> <P>Skalli</P> Wed, 26 Jun 2019 09:03:48 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447857#M15741 skalliger 2019-06-26T09:03:48Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447858#M15742 <P>Yes we are using ES but on RHEL</P> Wed, 26 Jun 2019 22:41:03 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447858#M15742 spectrum2035 2019-06-26T22:41:03Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447859#M15743 <P>check ES version and Splunk version compatibility:<BR /> <A href="https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/CompatMatrix">https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/CompatMatrix</A><BR /> contact splunk support too</P> Thu, 27 Jun 2019 02:48:59 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447859#M15743 adonio 2019-06-27T02:48:59Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447860#M15744 <P>Thanks adonio, we have upgraded our servers nearly a year back and this started showing up for last 1 month only.</P> Thu, 27 Jun 2019 07:52:22 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447860#M15744 spectrum2035 2019-06-27T07:52:22Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447861#M15745 <P>Hi @spectrum2035,</P> <P>Do you still have this issue ? Seems like a misconfigured lookup or alert action to generate a csv. can you try to link this to any newly added alert action ?</P> Thu, 27 Jun 2019 08:25:08 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447861#M15745 DavidHourani 2019-06-27T08:25:08Z https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447862#M15746 <P>facing same problem ... no clues .... doesn't look like there is a correlation to errors reported by other splunkd logging components. just sudden spikes of SHCFunctions warnings.</P> Tue, 13 Aug 2019 14:03:25 GMT https://community.splunk.com/t5/Deployment-Architecture/What-does-this-search-head-cluster-function-alert-WARN-messages/m-p/447862#M15746 smitra_splunk 2019-08-13T14:03:25Z