Archive

Upgraded from 7.0.5 to 7.3.3 and now get TsidxStats ERRORs in splunkd.log

Path Finder

After upgrading to 7.3.3 from 7.0.5 these two log ERRORs are new

ERROR 2019-12-10 08:01:19.755 security TsidxStats Missing search clause after 'WHERE' keyword 1
ERROR 2019-12-10 08:01:46.309 security TsidxStats Wildcards (*) are not supported in aggregate fields 1

I found a similar log message where it mentions this is a bug.
https://answers.splunk.com/answers/593866/how-to-resolve-this-error-error-in-tsidxstats-wher-1.html

Has anyone seen these two log messages? I'm trying to gauge the significance before upgrading our production environment.

0 Karma

SplunkTrust
SplunkTrust

Hi,

IIRC those error generated by scheduled search Audit - Dataset Relation from App SA-Utils which runs at every 30 minutes and in backend it is running contentinfo_rest_handler.py

0 Karma

SplunkTrust
SplunkTrust

Are you running Splunk Enterprise Security ?

0 Karma

Path Finder

yes, we also upgraded Enterprise Security from 5.0.1 to 5.3.1

0 Karma