Solved: Re: Splunk 7.1.0 upgrade of FREE version finalizes... - Page 2

Wobe · ‎04-27-2018

After upgrading from 7.0.3 to 7.1.0 longer searches will be auto-finalized!
So most results will not be correct because not all events will be used for a given timerange.

Example: (All time search, no config changes in disk quotas done)
| search source "unitstatus" => 1.099.140 events with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| search source "unitstatus" | stats count => 1.542.614 eventcount with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| metadata type=sources index=* | where source="unitstatus" | fields + totalCount => 2.671.141 count without message

This happens with ALL searches, i was able to test. The diskquota in the FREE version is promised to be not limited.
It happens on every Upgradeinstallation with V7.1.0.

What did i do wrong?

Wobe · ‎07-17-2018

Tested the issue with V7.1.2.
It seems to be fixed.

I'm happy. 🙂

View solution in original post

xpac · ‎04-30-2018

Good message:
It's a known issue, it's been tested, verified and logged into the issue tracker.
It's not on purpose or anything, but seems to be a bug that only hits the combination of realtime, 7.1 and free license.

Bad message:
Seems there is no workaround or fix yet.

arthurh · ‎04-30-2018

Got the same bug on my splunk test env

johoffry · ‎05-04-2018

I have a trial license installed and it does the same thing while running a REAL-TIME search

Wobe · ‎05-07-2018

So this also happens with a non-expired license? Too bad. I could not test that yet.
I have to mention that it happens with ANY type of search - not only REAL-TIME.

Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life