All Apps and Add-ons

Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

akeneratlanticu
Engager

Running v1.0 of the app in a distributed environment (Splunk Enterprise 6.5.1) and getting the following error when trying to run the Significant Increase in Interactively Logged On Users (Assistant: Detect Spikes) example with live data. I have Windows Security data indexed and performing the same query in the Search & Reporting app does return results.

Error:

[splunk-index1] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.; [splunk-index2] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

This is now fixed in version 1.0.1. Thank you for reporting it!

The change was to replace the current contents of distsearch.conf with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...

View solution in original post

0 Karma

kent_farries
Path Finder

I also have the same problem with both of my indexers having the same error as posted above.

I'm wondering if the PSC (Python for Scientific Computing ) needs to be installed on the indexers for this to work. Does this app use the streaming features of the MLTK (Machine Learning Toolkit)?

Note:

  • search.log does not contain any errors and only INFO & WARN.
  • The app works fine on my standalone (non-distributed environment) test system.
  • I will install the PSC on my indexers during my next outage window to confirm and post back if David has not confirmed.
0 Karma

David
Splunk Employee
Splunk Employee

Okay, you just gave me an idea what may be the root problem (a last minute change). Let me test this out over the next couple of hours.

0 Karma

David
Splunk Employee
Splunk Employee

Got it -- 1.0.1 is published. The fix is to replace the current distsearch.conf configurations with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
0 Karma

kent_farries
Path Finder

Thanks David this resolved the issue for me and I'm glad it was a simple fix.

0 Karma

David
Splunk Employee
Splunk Employee

This is now fixed in version 1.0.1. Thank you for reporting it!

The change was to replace the current contents of distsearch.conf with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
0 Karma

akeneratlanticu
Engager

Thanks David, that fixed it!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...