Solved: Lookup files not being populated with data

todd_miller · ‎11-05-2015

None of the lookups associated with the Splunk App for Windows Infrastructure are being populated with data. I confirmed the jobs are running and do return data. The issue is surrounding the key value and the output lookup. The search.log file is reporting the following:

11-05-2015 12:35:33.974 WARN  RetryManager - Peer: <SHC_Member_Name> not found in offset map.
11-05-2015 12:35:34.662 INFO  SearchParser - PARSING: outputlookup  windows_event_system append=true
11-05-2015 12:40:40.275 ERROR KVStorageProvider - An error occurred during the last operation ('saveBatchData', domain: '2', code: '4'): Failed to read 4 bytes from socket within 300000 milliseconds.
11-05-2015 12:40:40.331 ERROR KVStoreLookup - KV Store output failed with code -1 and message ''
11-05-2015 12:40:40.331 ERROR SearchResults - An error occurred while saving to the KV Store. Look at search.log for more information.
11-05-2015 12:40:40.331 ERROR outputcsv - sid:1446752129.45933_A7755212-4D40-46D1-8736-3366BD60ADF9 Could not append to collection 'windows_event_system_collection': An error occurred while saving to the KV Store. Look at search.log for more information..

todd_miller · ‎11-07-2015

Apparently a simple restart of the splunk daemon on the SHC members fixes this.

View solution in original post

todd_miller · ‎11-07-2015

Apparently a simple restart of the splunk daemon on the SHC members fixes this.

Lookup files not being populated with data

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!