Archive
Highlighted

Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Explorer

After upgrading from 7.0.3 to 7.1.0 longer searches will be auto-finalized!
So most results will not be correct because not all events will be used for a given timerange.

Example: (All time search, no config changes in disk quotas done)
| search source "unitstatus" => 1.099.140 events with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| search source "unitstatus" | stats count => 1.542.614 eventcount with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| metadata type=sources index=* | where source="unitstatus" | fields + totalCount => 2.671.141 count without message

This happens with ALL searches, i was able to test. The diskquota in the FREE version is promised to be not limited.
It happens on every Upgradeinstallation with V7.1.0.

What did i do wrong?

Tags (2)
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Engager

Got the same bug on my splunk test env

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

New Member

I have a trial license installed and it does the same thing while running a REAL-TIME search

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Explorer

So this also happens with a non-expired license? Too bad. I could not test that yet.
I have to mention that it happens with ANY type of search - not only REAL-TIME.

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

SplunkTrust
SplunkTrust

Good message:
It's a known issue, it's been tested, verified and logged into the issue tracker.
It's not on purpose or anything, but seems to be a bug that only hits the combination of realtime, 7.1 and free license.

Bad message:
Seems there is no workaround or fix yet.

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Path Finder

I've the same bug coming from a 6 free version with 3 violations to a 7.1 developper license.

The hash of my free license is :
hash FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
is_unlimited False
label Splunk Free

I can't remove it.
Is it the same for you ?

Have you try to set up an authorize.conf file ?

*1.   [role_Administrator]
2.    srchDiskQuota = 1000000*

I have right problem on my lab machine for the moment and can't test this fix.

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Explorer

I have the same hash as you.

I've tested a similar quota configuration before, retested yours now and got no success.

I think it is a very severe issue. Searches with many events simply deliver incorrect results regardless of quotas or timerange settings!

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Engager

I don't have much helpful to add, other than to confirm this issue is present in one of my environments too.

Log shows (trimmed):

05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt1526334389.764 Search finalized.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt
1526334389.764 Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - State changed to FINALIZING due to: Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:41.917 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='rt_1526334389.764', username='admin')

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Path Finder

another particular case in my lab machine is that for safety reason it's not connected to the net. Is it youre case too ? I've made the update using an USB key.

0 Karma
Highlighted

Re: Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Explorer

Mine is also not connected to the internet. Should not matter.

0 Karma