If I leave my Splunk WebUI dormant for a bit (I think about 30m), I get the following error message with scary, red, exclamation point triangles.
While it's not a big deal operationally, it's annoying and makes us look like we have a system that is error-prone to our less-splunk-savvy customers. Our Splunk contacts advise us that this is how it's supposed to work and that this is a "feature" for expired searches.
While I understand that the search results expire, is there some way to get rid of the error message or change it to something useful and less-scary? Perhaps something like "These search results are old... don't trust them... re-run your search if you want updated data."
Hi proletariat99, I don't expect it would be trivial to modify Splunk messaging in this case, but you could extend the time-to-live for the Splunk searches as described here : http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf
ttl = <integer>
* How long search artifacts should be stored on disk once completed, in
seconds. The ttl is computed relative to the modtime of status.csv of the job
if such file exists or the modtime of the search job's artifact directory. If
a job is being actively viewed in the Splunk UI then the modtime of
status.csv is constantly updated such that the reaper does not remove the job
from underneath.
* Defaults to 600, which is equivalent to 10 minutes.
Please let me know if this helps 😄
This seems to be an issue for me as well, after migrating SH pools to a new NFS share. Dashboard & scheduled alerts are working ok, but running adhoc searches generally gets the "unknown sid" issue.