All Apps and Add-ons
Highlighted

Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

Running v1.0 of the app in a distributed environment (Splunk Enterprise 6.5.1) and getting the following error when trying to run the Significant Increase in Interactively Logged On Users (Assistant: Detect Spikes) example with live data. I have Windows Security data indexed and performing the same query in the Search & Reporting app does return results.

Error:

[splunk-index1] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.; [splunk-index2] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
0 Karma
Highlighted

Re: Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

Splunk Employee
Splunk Employee

This is now fixed in version 1.0.1. Thank you for reporting it!

The change was to replace the current contents of distsearch.conf with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...

View solution in original post

0 Karma
Highlighted

Re: Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

Thanks David, that fixed it!

0 Karma
Highlighted

Re: Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

Path Finder

I also have the same problem with both of my indexers having the same error as posted above.

I'm wondering if the PSC (Python for Scientific Computing ) needs to be installed on the indexers for this to work. Does this app use the streaming features of the MLTK (Machine Learning Toolkit)?

Note:

  • search.log does not contain any errors and only INFO & WARN.
  • The app works fine on my standalone (non-distributed environment) test system.
  • I will install the PSC on my indexers during my next outage window to confirm and post back if David has not confirmed.
0 Karma
Highlighted

Re: Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

Splunk Employee
Splunk Employee

Okay, you just gave me an idea what may be the root problem (a last minute change). Let me test this out over the next couple of hours.

0 Karma
Highlighted

Re: Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

Splunk Employee
Splunk Employee

Got it -- 1.0.1 is published. The fix is to replace the current distsearch.conf configurations with:

[replicationBlacklist]
excludeSSE1 = ...Splunk_Security_Essentials/lookups...
excludeSSE2 = ...Splunk_Security_Essentials\\lookups...
0 Karma
Highlighted

Re: Splunk Security Essentials: How to resolve error "Search process did not exit cleanly" running this search example?

Path Finder

Thanks David this resolved the issue for me and I'm glad it was a simple fix.

0 Karma