All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

akeneratlanticu
Engager
‎01-10-2017 11:41 AM

Running v1.0 of the app in a distributed environment (Splunk Enterprise 6.5.1) and getting the following error when trying to run the Significant Increase in Interactively Logged On Users (Assistant: Detect Spikes) example with live data. I have Windows Security data indexed and performing the same query in the Search & Reporting app does return results.

Error:

[splunk-index1] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.; [splunk-index2] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎01-10-2017 07:43 PM

This is now fixed in version 1.0.1. Thank you for reporting it!

The change was to replace the current contents of distsearch.conf with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kent_farries
Path Finder
‎01-11-2017 06:42 AM

I also have the same problem with both of my indexers having the same error as posted above.

I'm wondering if the PSC (Python for Scientific Computing ) needs to be installed on the indexers for this to work. Does this app use the streaming features of the MLTK (Machine Learning Toolkit)?

Note:

  • search.log does not contain any errors and only INFO & WARN.
  • The app works fine on my standalone (non-distributed environment) test system.
  • I will install the PSC on my indexers during my next outage window to confirm and post back if David has not confirmed.
0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-11-2017 06:47 AM

Okay, you just gave me an idea what may be the root problem (a last minute change). Let me test this out over the next couple of hours.

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-11-2017 07:13 AM

Got it -- 1.0.1 is published. The fix is to replace the current distsearch.conf configurations with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
0 Karma
Reply
Solved! Jump to solution

kent_farries
Path Finder
‎01-11-2017 07:56 AM

Thanks David this resolved the issue for me and I'm glad it was a simple fix.

0 Karma
Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎01-10-2017 07:43 PM

This is now fixed in version 1.0.1. Thank you for reporting it!

The change was to replace the current contents of distsearch.conf with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
0 Karma
Reply
Solved! Jump to solution

akeneratlanticu
Engager
‎01-11-2017 08:53 AM

Thanks David, that fixed it!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...