Running v1.0 of the app in a distributed environment (Splunk Enterprise 6.5.1) and getting the following error when trying to run the Significant Increase in Interactively Logged On Users (Assistant: Detect Spikes) example with live data. I have Windows Security data indexed and performing the same query in the Search & Reporting app does return results.
Error:
[splunk-index1] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.; [splunk-index2] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
This is now fixed in version 1.0.1. Thank you for reporting it!
The change was to replace the current contents of distsearch.conf with:
[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
I also have the same problem with both of my indexers having the same error as posted above.
I'm wondering if the PSC (Python for Scientific Computing ) needs to be installed on the indexers for this to work. Does this app use the streaming features of the MLTK (Machine Learning Toolkit)?
Note:
Okay, you just gave me an idea what may be the root problem (a last minute change). Let me test this out over the next couple of hours.
Got it -- 1.0.1 is published. The fix is to replace the current distsearch.conf configurations with:
[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
Thanks David this resolved the issue for me and I'm glad it was a simple fix.
This is now fixed in version 1.0.1. Thank you for reporting it!
The change was to replace the current contents of distsearch.conf with:
[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
Thanks David, that fixed it!