After upgrading from 7.0.3 to 7.1.0 longer searches will be auto-finalized!
So most results will not be correct because not all events will be used for a given timerange.
Example: (All time search, no config changes in disk quotas done)
| search source "unitstatus" => 1.099.140 events with message 'Search auto-finalized after disk usage limit (0MB) reached. '
| search source "unitstatus" | stats count => 1.542.614 eventcount with message 'Search auto-finalized after disk usage limit (0MB) reached. '
| metadata type=sources index=* | where source="unitstatus" | fields + totalCount => 2.671.141 count without message
This happens with ALL searches, i was able to test. The diskquota in the FREE version is promised to be not limited.
It happens on every Upgradeinstallation with V7.1.0.
What did i do wrong?
Got the same bug on my splunk test env
I have a trial license installed and it does the same thing while running a REAL-TIME search
So this also happens with a non-expired license? Too bad. I could not test that yet.
I have to mention that it happens with ANY type of search - not only REAL-TIME.
It's a known issue, it's been tested, verified and logged into the issue tracker.
It's not on purpose or anything, but seems to be a bug that only hits the combination of realtime, 7.1 and free license.
Seems there is no workaround or fix yet.
I've the same bug coming from a 6 free version with 3 violations to a 7.1 developper license.
The hash of my free license is :
label Splunk Free
I can't remove it.
Is it the same for you ?
Have you try to set up an authorize.conf file ?
*1. [role_Administrator] 2. srchDiskQuota = 1000000*
I have right problem on my lab machine for the moment and can't test this fix.
I have the same hash as you.
I've tested a similar quota configuration before, retested yours now and got no success.
I think it is a very severe issue. Searches with many events simply deliver incorrect results regardless of quotas or timerange settings!
I don't have much helpful to add, other than to confirm this issue is present in one of my environments too.
Log shows (trimmed):
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt1526334389.764 Search finalized.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt1526334389.764 Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - State changed to FINALIZING due to: Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:41.917 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='rt_1526334389.764', username='admin')
another particular case in my lab machine is that for safety reason it's not connected to the net. Is it youre case too ? I've made the update using an USB key.
Mine is also not connected to the internet. Should not matter.