Deployment Architecture

Error Message on indexer console

New Member

I'm seeing the error below under messages in my Splunk enterprise console:

Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED_Indexer IP ADDress_default-autolb-group DC-Host Name_10
5/22/2020, 2:00:52 PM.

The blocked host name belongs to a domain controller where I just deployed a UF. I'm not receiving any data from this forwarder.

This is harder than I anticipated. I just need to audit security logs from my Domain controllers

Tags (1)
0 Karma

New Member

So I created a new receiver on port 23 and now I can see that the servers are connected on the netstat output. I was able to telnet on 23 to the splunk indexer.

However, I still have no logs/data under search/data summary (waiting for data). I also don't see my domain controller available to search from under hosts.

Any help would be appreciated

0 Karma

New Member

Any thoughts? Should I change the receiving port to something other than 9997?

0 Karma

New Member


Version 8.0.3


Changes to default files will be lost on update and are difficult to

manage and support.

Make changes to system defaults by overriding them in

apps or $SPLUNK_HOME/etc/system/local

(See "Configuration file precedence" in the web documentation).

To override a specific setting, copy the name of the stanza and

setting to the file where you wish to override it.

This file contains an example messages.conf of attribute/value pairs for

configuring externalized strings.

name = Abstract Operator

message = The value of %s is invalid: %ld. The valid range is 1-%d.
severity = error

name = AddInfo Processor

message = Error deleting temporary file '%s', after copying to sinkhole.
severity = error

message = Error moving file '%s' to '%s'.
severity = error

message = Could not open the following temporary file for writing: '%s'.
severity = error

message = File option '%s' is invalid. Filename contains one of the following prohibited characters: period (.), forward slash (/), or backslash ().
severity = error

message = Format option '%s' is invalid.
severity = error

message = Time format option '%s' is invalid.
severity = error

message = Must specify at least one dimension field if split mode.
severity = error

message = Must specify a valid metric index.
severity = error

message = Missing arguments. Usage: setfields field1=\"value1\", field2=\"value2\"...
severity = error

message = Missing the '=' key-value delimiter. Ignoring token '%s'.
severity = warn

message = Missing a valid field list. Usage: setfields field1=\"value1\", field2=\"value2\"...
severity = error

message = No results to summary index.
severity = warn

message = You have insufficient privileges to run this command.
severity = error

message = The 'path' option has been deprecated. Set option 'spool' to false to write output to $SPLUNK_HOME/var/run/splunk/.
severity = warn

message = Successfully wrote file to '%s'.
severity = info

name = Analysis Processor

message = '%s' argument is required.
severity = error

name = Anomalies

message = The blacklist threshold is invalid. It must be between 0 and 1.0.
severity = error

message = Compression failed. Aborting search.
severity = error

message = The threshold is invalid. It must be between 0 and 1.0.
severity = error

message = The maxvalues setting is invalid. Maxvalues must be between 10 and 10000.
severity = error

message = A separating field was not found. Carrying on without it.
severity = info

message = Blacklist file name can not contain '..'.
severity = error

name = Anomalous Value Processor

message = The 'action' option value is invalid. It must be 'filter' (default), 'annotate', or 'summary'.
severity = error

message = The 'maxanofreq' option value is invalid. It must be > 0 and <= 1.0.
severity = error

message = The 'minnormfreq' option value is invalid. It must be >= 0 and <= 1.0.
severity = error

message = The 'minsupfreq' option value is invalid. It must be >= 0 and <= 1.0.
severity = error

message = The 'pthresh' option value is invalid. It must be >= 0.0 and <= 1.0.
severity = error

message = Found no qualifying results. Result is a no-op.
severity = info

message = Found no qualifying results. Verify that the field names are correct.
severity = error

name = Anomaly Processor

message = The 'action' option value is invalid for this method. It must be 'filter' (default), 'annotate', or 'summary'.
severity = error

message = The 'action' option value is invalid for this method. It must be 'tf' (default), 'transform', 'rm', or 'remove'.
severity = error

message = The 'maxanofreq' option value is invalid. It must be > 0 and <= 1.0.
severity = error

message = The 'method' option value is invalid. It must be 'histogram', 'zscore', or 'iqr'.
severity = error

message = The 'minnormfreq' option value is invalid. It must be >= 0 and <= 1.0.
severity = error

message = The 'minsupfreq' option value is invalid. It must be >= 0 and <= 1.0.
severity = error

message = The 'param' option value is invalid. It must be >= 0.0.
severity = error

message = The 'pthresh' option value is invalid. It must be >= 0.0 and <= 1.0.
severity = error

name = App Server

message = Running Splunk Web in legacy mode by setting appServerPorts=0 has been removed.
action = Set appServerPorts to a valid port or list of ports in web.conf under [settings].
severity = error
capabilities = edit_web_settings
help = message.legacy.splunkweb.deprecated

message = App server script does not exist.
action = Reinstall Splunk software.
severity = error

message = Appserver at %s never started up.
action = Set appServerProcessLogStderr to "true" under [settings] in web.conf. Restart, try the operation again, and review splunkd.log for any messages that contain "UiAppServer - From appserver".
severity = error

name = Append Processor

message = The last argument must be a subsearch.
severity = error

message = You can only use %s after a reporting command (such as stats, chart, or timechart).
severity = error

name = App License Validator

message = The app license server was unreachable for 30 days or more. All licensed apps have been disabled.
severity = error

message = The following app licenses have expired and have been disabled: %s.
action = Repurchase app license from Splunkbase.
severity = error

message = The following app licenses have expired but are running in a grace period: %s.
action = Repurchase app license from Splunkbase.
severity = warn

message = The following app licenses cannot be found and have been disabled: %s
action = Contact Splunk support if you believe there has been an error.
severity = error

message = The appLicenseHostPort setting in server.conf is undefined. Unless the connection is restored, all licensed apps will be disabled in %s day(s).
action = Check the appLicenseHostPort setting in server.conf or contact Splunk Support.
severity = error

message = The app license server cannot be reached. Unless the connection is restored, all licensed app will be disabled in %s day(s).
action = Check the appLicenseHostPort setting in server.conf or contact Splunk Support.
severity = error

name = Arule Processor

message = The 'conf' option value must be > 0.0 and <= 1.0, got '%f'.
severity = error

message = The 'sup' option value must be >= 0, got '%d'.
severity = error

message = No fields specified.
severity = error

message = Table data had no/bad given field or implied field.
severity = error

message = Table data missing given or implied fields.
severity = error

name = Association Processor

message = You cannot restrict the analysis to a single field.
severity = error

message = The minimum support count (supcnt) must be > 0.
severity = error

message = APKeyInfo::isCandidateKey() was called with total_count of 0.
severity = error

message = Found no associations. Consider decreasing the minimum support.
severity = info

message = Found no associations. Consider decreasing the minimum support or the minimum entropy improvement.
severity = info

message = Found no events or fields to analyze.
severity = debug

message = Found no events containing the specified fields.
severity = debug

name = AST Optimizer

message = Expected a JSON object.
severity = error

message = Dataset '%s' had invalid '%s' attribute.
severity = error

message = Dataset '%s' had no '%s' attribute.
severity = error

message = Expected an array of '%s' attribute.
severity = error

message = Expected a valid JSON document.
severity = error

message = Object had no '%s' attribute.
severity = error

message = %s had no '%s' attribute.
severity = error

message = Expect parse_only mode.
severity = error

name = Audit Event Generator

message = auditedChunk size=%d={%s}.
severity = error

message = decryptedChunk size=%d={%s}.
severity = error

message = Encountered decryption error %s, %s.
severity = error

message = Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes.
action = Review system health: ensure downstream indexing and/or forwarding are operating correctly.
severity = warn
capabilities = admin_all_objects

name = Authentication manager

message = Login failed
severity = error

name = Auto Regression Processor

message = A field name was expected.
severity = error

message = A field name is expected after '%s'.
severity = error

message = The '%s' field name is invalid.
severity = error

message = The '%s' value for the 'p' range end is invalid.
severity = error

message = The range of 'p' values cannot exceed %lu.
severity = error

message = The '%s' value for the 'p' range start is invalid.
severity = error

message = The value '%s' for 'p' is invalid.
severity = error

message = You cannot specify new field name when you specify a range for 'p'.
severity = error

name = Batch Search

message = The search failed. More than %d events found at time %d.
severity = error

message = The search failed. Unable to create directory %s.
severity = error

message = The search failed. Unable to read temp files on disk.
severity = error

message = The search failed. Unable to write temp files to disk.
severity = error

name = Branched Processor

message = Post-process searches cannot contain a generating command. The post-process search '%s' currently generates events.
action = Rewrite the post-process search so that it does not include generating commands in base search '%s'.
severity = error
capabilities = search

message = Could not create branch subdirectory.
severity = error

message = Caught an exception in branch: %s.
severity = error

name = Bucket Cache

message = The search you ran returned a number of fields that exceeded the current indexed field extraction limit.
severity = warn
action = To ensure that all fields are extracted for search, set limits.conf: [kv] / indexed_kv_limit to a number that is higher than the number of fields contained in the files that you index.

name = Bundle Replication

message = Problem replicating config (bundle) to Remote File Storage (RFS) location %s.
capabilities = edit_search_server

message = Problem replicating config (bundle) to search peer ' %s ', %s.
capabilities = edit_search_server

message = Bundle Replication aborted for search peer %s.
severity = error
action = Please check for relevant errors in splunkd.log in $SPLUNK_HOME/var/log/splunk.
capabilities = search

message = Bundle Replication failed for search peer %s.
severity = error
action = Please check for relevant errors in splunkd.log in $SPLUNK_HOME/var/log/splunk.
capabilities = search

name = Chunk Processor

message = Invalid field.
severity = error

message = Last argument must be a subsearch.
severity = error

name = Chunked Extern Processor

message = Invalid maxchunksize value in commands.conf: must be a non-negative integer.
severity = warn

message = Invalid maxwait value in commands.conf: must be a non-negative integer.
severity = warn

message = The Python version '%s' for command '%s' in commands.conf is invalid.
severity = error

message = Invalid message received from external search command during search, see search.log.
severity = error

message = Invalid '%s' from external search process: out of range or out of order.
severity = error

message = External search command exited unexpectedly with non-zero error code %d.
severity = error

message = Could not find file: '%s'.
severity = error

message = Invalid message received from external search command during setup, see search.log.
severity = error

message = External search command exited unexpectedly.
severity = error

message = Failed to send message to external search command, see search.log.
severity = error

name = Event-Clustering Search Processor

message = The distance type '%s' is invalid.
severity = error

message = Cluster number field name cannot be empty string.
severity = error

message = The number of clusters (%s) is invalid.
severity = error

message = The reps or maxIter value is invalid.
severity = error

message = Random seed must be > 0.
severity = error

message = The threshold '%f' is invalid.
severity = error

message = K-means clustering failed.
severity = error

message = K-means clustering failed for k = %u.
severity = error

message = Reached maximum data points limit (%lu). Some events will be ignored. Edit limits.conf to change limits.
severity = warn

message = Found no completely numerical fields.
severity = warn

message = Found no results with all numerical values for the specified fields.
severity = warn

message = There aren't enough qualifying results (%u) for the specified number of clusters (%u).
severity = warn

name = CoFilter Processor

message = Incorrect number of fields, expected two.
severity = error

message = Out of memory.
severity = error

message = Some expected fields are missing in input.
severity = error

name = Common Value Processor

message = The output count field cannot have the same name as the output percent field.
severity = error

message = Corrupt output from pretop or prerare (missing fields).
severity = error

message = Corrupt output from pretop or prerare (missing split by fields).
severity = error

message = The pretop or prerare output is corrupt (zero count).
severity = error

message = The output count field conflicts with the input field '%s'. Use the 'countfield' option to specify a different name.
severity = error

message = The '%s' field is specified multiple times.
severity = error

message = The split by field '%s' cannot be repeated.
severity = error

message = Field(s) to split on are expected after the 'by' keyword.
severity = error

message = Failed to rename file '%s' to '%s'.
severity = warn

message = The limit must be <= %lu.
severity = error

message = Reached the intermediate storage limit. Output might not be completely accurate. If necessary, edit limits.conf.
severity = warn

message = No fields were specified.
severity = error

message = The output percent field conflicts with the input field '%s'. Use the 'percentfield' option to specify a different name.
severity = error

message = The '%s' field name is reserved for internal use.
severity = error

name = Concurrency Processor

message = %lu events were ignored due to missing or invalid start or duration fields.
severity = warn

message = The specified output field is invalid.
severity = error

message = The specified start field is invalid.
severity = error

message = Concurrency limit reached (%lu) for some events.
severity = warn

message = A valid duration field is required.
severity = error

name = Conf Multi KV

message = Failed to find the multikv.conf configuration file.
severity = error

message = Failed to find a valid configuration for multikv stanza =
severity = error

name = Contingency Processor

message = The value of option '%s' must be <= %lu.
severity = error

message = You must specify valid and distinct row and column fields.
severity = error

message = The min row and col covers must be > 0.0 and <= 1.0.
severity = error

message = Corrupt data from pre-ctable. The '%s' field is not numerical.
severity = error

message = The value of the 'totalstr' option must be a valid field name ('%s' is invalid).
severity = error

message = Unable to find row '%s' and/or col '%s' fields in the results.
severity = warn

name = Continuity Processor

message = Appending %lu extraneous events to the end.
severity = warn

message = Appending %lu extraneous events to the end. Likely a result of makecontinuous command misuse.
severity = warn

message = When you specify 'span', Splunk ignores 'avoidgaps'.
severity = info

message = Unexpected duplicate values in field '%s' have been detected.
severity = error

message = The value for option %s is invalid: '%s'.
severity = error

message = There was a mktime() error. tl_advance() returned -1, tscale: %s, origspan: %lu.
severity = error

message = Multifile input is not supported. Operating on in-memory results only.
severity = error

message = There is a potential numerical stability issue with the given value range.
severity = error

message = The specified span would result in too many (>%lu) rows.
severity = error

message = The %s value '%s' must be > the %s value '%s'.
severity = error

name = Conversion Processor

message = Could not fill the rename pattern '%s' using the field '%s' (matched wildcard '%s').
severity = error

message = The argument '%s' is invalid.
severity = error

message = The conversion specifier is invalid. It must be convert_type(key).
severity = error

message = The conversion type '%s' is invalid.
severity = error

message = The field name '%s' is invalid.
severity = error

message = The time format '%s' is invalid.
severity = error

message = The wildcard specifier '%s' is invalid. It contains consecutive '*' chars.
severity = error

message = The field '%s' is specified multiple times. It should be specified no more than once.
severity = error

message = There is a wildcards mismatch between the key specifier and the rename specifier.
severity = error

name = Copy Results Processor

message = Permission denied. You do not have sufficient privileges to write to the '%s' application.
severity = error

message = Cannot find a job with the search_id '%s'.
severity = error

message = Cannot find results for search_id '%s'.
severity = error

message = Could not rename temporary file '%s' to '%s'.
severity = error

message = Could not rename temporary file '%s' to '%s'. Error: '%s'.
severity = error

message = Failed to copy results of search_id '%s' to path '%s'.
severity = error

message = You must provide a search id.
severity = error

message = The destination application '%s' does not exist.
severity = error

message = The file destination is invalid. Splunk can only write '.csv' files to 'etc/system/lookups/' or 'etc/apps//lookups/'.
severity = error

message = No destination file is provided.
severity = error

message = Permission denied. Cannot access contents of job with search_id '%s'.
severity = error

message = Job_id '%s' is invalid. Valid IDs are not reserved filenames, do not start with '.', and contain only letters, numbers, or the following characters: '
severity = error

name = Correlation Processor

message = The correlation type '%s' is invalid.
severity = error

message = The field '%s' is specified multiple times. It should only be specified once.
severity = error

message = No qualifying fields exist in the data.
severity = warn

message = Splunk cannot create a correlation based on a single field. You must provide at least one other field.
severity = error

name = Cursored Search

message = Events might not be returned in sub-second order due to search memory limits. See search.log for more information.
action = Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk.
severity = error
capabilities = search

name = Data Model Handler

message = Cannot have multiple output fields for Eval.
severity = error

message = Cannot have empty base search for root search dataset.
severity = error

message = Cannot accelerate data model '%s'. Only root event or streaming-based root search can be accelerated.
severity = error

message = Cannot add field '%s' because it already exists in dataset '%s'.
severity = error

message = Cannot add dataset '%s' because a dataset with that ID already exists.
severity = error

message = Cannot have empty expression for %s.
severity = error

message = Invalid field name.
severity = error

message = Cannot have empty input field for %s.
severity = error

message = Cannot have empty lookup name.
severity = error

message = Cannot have empty output field for %s.
severity = error

message = Error loading data model '%s'
severity = error

message = Fields and field_coverage arguments can not be used together.
severity = error

message = The dataset '%s' has no field '%s'.
severity = error

message = Acceleration setting for data model '%s.%s' is invalid.
severity = error

message = Invalid field_coverage value.
severity = error

message = Invalid field type.
severity = error

message = Invalid GeoIP output field '%s'.
severity = error

message = JSON for data model '%s' is invalid.
severity = error

message = A data model with the name '%s' already exists.
severity = error

message = Key '%s' was missing from JSON document.
severity = error

message = Could not load parent dataset '%s'.
severity = error

message = Cannot accelerate data model with no datasets: '%s'.
severity = error

message = Data model '%s' was not found.
severity = error

message = Child dataset of parent '%s' is null.
severity = error

message = Dataset constraints cannot contain pipes.
severity = error

message = Output field names in %s cannot contain spaces.
severity = error

message = This root transaction dataset includes one or more invalid Group by fields.
severity = error

message = Could not load dataset '%s' in group.
severity = error

message = Root transaction datasets require at least one Group by field, Max Pause value, or Max Span value.
severity = error

message = Root transaction datasets require at least one dataset to group.
severity = error

message = Transacting over multiple datasets requires all datasets to group be of type BaseEvent.
severity = error

message = Dataset name '%s' is reserved. Choose another.
severity = error

message = Dataset constraints cannot contain subsearches.
severity = error

message = JSON for data model '%s' had bad 'parentName' value '%s'.
severity = error

message = Dataset constraints must specify at least one index.
severity = error

name = Dedup Operator

message = You must provide a sortby field name.
severity = error

message = The limit option is invalid. It must be >= 1.
severity = error

message = At least one field must be given as an argument.
severity = error

message = The field '%s' is specified multiple times. It should only be specified once.
severity = error

message = The sortby clause is not for prededup.
severity = error

name = Directive Factory

message = Unknown directive '%s'.
severity = error
capabilities = search

name = Discretization Processor

message = The timealign option is only valid for time based discretization.
severity = error

message = Expected a field name after '%s'.
severity = error

message = Failed to discretize value '%s' of field '%s'.
severity = error

message = Invalid value for aligntime. Must be 'earliest', 'latest', or a valid time (relative times e.g. '-1d@d' are acceptable).
severity = error

message = The log span '%s' is invalid. %s.
severity = error

message = The number of bins must be >= 2 and <= %lu.
severity = error

message = The numerical span '%s' is invalid. It must be > 0.
severity = error

message = The value for option %s (%s) is invalid.
severity = error

message = The value for option %s (%s) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value.
severity = error

message = You must specify a field to discretize.
severity = error

message = Field '%s' does not exist in the data.
severity = error

message = Field '%s' should have numerical values.
severity = error

message = Span value '%s' results in too many (> %lu) bins. Edit limits.conf to change limits.
severity = error

message = The %s value must be >= %s value.
severity = error

name = Disk Monitor

message = The index processor has paused data flow. Current free disk space on partition '%s' has fallen to %lluMB, below the minimum of %lluMB. Data writes to index path '%s'cannot safely proceed.
action = Increase free disk space on partition '%s' by removing or relocating data.
severity = warn
help = message.stall.indexer.diskspace
capabilities = indexes_edit

name = Dispatch Command Processor

message = Asynchronous bundle replication might cause (pre 4.2) search peers to run searches with different bundle/config versions. Results might not be correct.
severity = info

message = Cannot dispatch search on a Universal Forwarder.
severity = warn

message = Could not find the expected job info file '%s'.
severity = warn

message = Dispatch Manager could not associate a role with username '%s'.
severity = error

message = Changing priority '%s' while running as a splunkd thread is not allowed. Ignoring.
severity = warn

message = A portion of the search ended prematurely due to failure for indexer: %s. Attempting to recover the search.
severity = error

message = Cluster has recovered from premature search termination on peer(s).
severity = info

message = This command cannot be invoked after the command '%s' because it expects events in descending time order.
severity = error

message = The file '%s' is corrupt.
severity = error

message = Received the following while changing the job priority (%m): '%s'.
severity = warn

message = One or more peers has been excluded from the search because they have been quarantined. Use "splunk_server=*" to search these peers. This might affect search performance.
severity = warn

message = Failed to connect with url '%s' because of %s.
severity = error

message = Failed to connect with url '%s' because of %s. status code = %d.
severity = error

message = Failed to create a directory at %s.
severity = error

message = Failed to find the info file to %s. Search process not started.
severity = error

message = Failed generation setup, reason: %s.
severity = error

message = Failed to reap bundle_directory '%s' because of %m.
severity = error

message = Failed to start the search process for sid=%s.
severity = error

message = Failed to write the info file to %s.
severity = error

message = File '%s' no longer exists.
severity = error

message = This command must be the first command of a search.
severity = error

message = Input results into the dispatch command are being ignored.
severity = warn

message = The user '%s' does not have sufficient search privileges.
severity = error

message = The '%s' command cannot be the first command in a search.
severity = error

message = The ID value is invalid. ..%s is not allowed.
severity = error

message = The 'maxresults' option must have value > 0.
severity = error

message = One or more indexes specified in search does not exist on any of the queried peer(s).
severity = error

message = Search filters specified using splunk_server/splunk_server_group do not match any search peer.
severity = warn

message = The 'ttl' option must have value > 0.
severity = error

message = The auto_cancel value '%s' is invalid.
severity = error

message = The auto_pause value '%s' is invalid.
severity = error

message = Local Search Feature disabled by licenser (status=%d).
severity = info

message = The minimum free disk space (%lluMB) reached for %s. %s
severity = warn

message = The maximum number of concurrent %s searches for the role=%s has been reached. quota=%lu usage=%lu.
severity = warn

message = The maximum number of concurrent %s searches on this instance has been reached.
severity = info

message = This search could not be dispatched because the role-based concurrency limit of historical searches for user "%s" has been reached (usage=%lu, quota=%lu).
action = Wait for some of your running historical searches to complete or ask your Splunk administrator to increase the search concurrency limit of historical searches for your role in authorize.conf.
severity = error
capabilities = search
help =
message_alternate = The maximum number of concurrent historical searches for this user based on their role quota has been reached.

message = The maximum number of concurrent searches has been reached for all roles (roles.count=%u) usage=%lu quota=%lu user=%s while trying to start search. sid=%s
severity = error
capabilities = search
help =

message = This search could not be dispatched because the role-based concurrency limit of historical searches for user "%s" on this cluster has been reached (usage=%lu, quota=%lu).
action = Wait for some of your running historical searches to complete or ask your Splunk administrator to increase the search concurrency limit of historical searches for your role in authorize.conf.
severity = error
capabilities = search
help =
message_alternate = The maximum number of concurrent historical searches for this user on this cluster based on their role quota has been reached.

message = The maximum number of concurrent %s searches on this cluster has been reached.
severity = info

message = The search process with sid=%s was forcefully terminated because its relative physical memory usage (%f percent) has exceeded the 'search_process_memory_usage_percentage_threshold' (%f percent) setting in limits.conf.
severity = error
capabilities = search
help =

message = The search processs with sid=%s was forcefully terminated because its physical memory usage (%f MB) has exceeded the 'search_process_memory_usage_threshold' (%f MB) setting in limits.conf.
severity = error
capabilities = search
help =

message = The search process with sid=%s was forcefully terminated because both its physical memory usage (%f MB) and its relative physical memory usage (%f percent) have exceeded the 'search_process_memory_usage_threshold' (%f MB) and 'search_process_memory_usage_percentage_threshold' (%f percent) settings in limits.conf.
severity = error
capabilities = search
help =

message = More than one rename tag is detected for sourcetype '%s'.
severity = error

message = No user context has been set. You cannot run the search.
severity = error

message = The user is not logged in.
severity = error

message = Failed to launch search since requested number of pipeline requested=%u exceeds max search pipeline=%u.
severity = error

message = This search could not be dispatched because the role-based disk usage quota of search artifacts for user "%s" has been reached (usage=%luMB, quota=%luMB).
action = Use the [[/app/search/job_manager|Job Manager]] to delete some of your search artifacts, or ask your Splunk administrator to increase the disk quota of search artifacts for your role in authorize.conf.
severity = error
capabilities = search
message_alternate = The maximum disk usage quota for this user has been reached.

message = This search could not be dispatched because the role-based disk usage quota of search artifacts for user "%s" on this cluster has been reached (usage=%luMB, quota=%luMB).
action = Use the [[/app/search/job_manager|Job Manager]] to delete some of your search artifacts, or ask your Splunk administrator to increase the disk quota of search artifacts for your role in authorize.conf.
severity = error
capabilities = search
message_alternate = The maximum disk usage quota for this user on this cluster has been reached.

message = This search could not be dispatched because the role-based concurrency limit of real-time searches for user "%s" has been reached (usage=%lu, quota=%lu).
action = Use the [[/app/search/job_manager|Job Manager]] to cancel some of your running real-time searches or ask your Splunk administrator to increase the search concurrency limit of real-time searches for your role in authorize.conf.
severity = error
capabilities = search
help =
message_alternate = The maximum number of concurrent real-time searches for this user based on their role quota has been reached.

message = This search could not be dispatched because the role-based concurrency limit of real-time searches for user "%s" on this cluster has been reached (usage=%lu, quota=%lu).
action = Use the [[/app/search/job_manager|Job Manager]] to cancel some of your running real-time searches or ask your Splunk administrator to increase the search concurrency limit of real-time searches for your role in authorize.conf.
severity = error
capabilities = search
help =
message_alternate = The maximum number of concurrent real-time searches for this user on this cluster based on their role quota has been reached.

message = Search job failed because peer '%s' is down
severity = error

message = Search results might be incomplete: the search process on a peer's search ended prematurely.
severity = warn

message = Reading error while waiting for external result provider %s. Search results might be incomplete!
severity = warn

message = Search results might be incomplete: the search process on peer %s ended prematurely. This can be caused by a variety of reasons.
action = Consult the [[%s|search.log]] for the remote search and check for a possible crash log in the $SPLUNK_HOME/var/log/splunkd directory for %s.
severity = warn

message = Reading error while waiting for external result provider %s. Search results might be incomplete!
severity = warn

message = Reading error while waiting for peer %s. Search results might be incomplete! This can occur if the peer unexpectedly closes or resets the connection during a planned restart.
action = Try running the search again. If the problem persists, confirm network connectivity between this instance and the peer, and review search.log and splunkd.log on the peer to check its activity.
severity = warn
help = learnmore.idxc.searchable.upgrade

message = Timed out waiting for peer %s. Search results might be incomplete!
action = If this occurs frequently, receiveTimeout in distsearch.conf might need to be increased.
severity = warn

message = Unknown error for indexer: %s. Search Results might be incomplete!
action = If this occurs frequently, check on the peer.
severity = warn

message = Peer %s's search ended prematurely. Attempting to reconnect and resume.
severity = error

message = Peer '%s' was disconnected because it was too slow and holding up the completion of this search. This can be disabled in limits.conf [slow_peer_disconnect].
severity = warn

message = The search was not run on the remote peer '%s' due to incompatible peer version ('%s').
severity = warn

message = Search results might be incomplete: the search process on the local peer:%s failed to configure the local collector.
action = Check the local peer search.log.
severity = warn

message = Search results might be incomplete: the search process on the local peer:%s ended prematurely.
action = Check the local peer log, such as $SPLUNK_HOME/var/log/splunk/splunkd.log and as well as the search.log for the particular search.
severity = warn

message = Successfully resumed search on %s.
severity = info

message = Failed to generate preview results %s.
severity = error

message = This command cannot be invoked after the command '%s', which is not distributable streaming.
severity = error

message = This command cannot be invoked after the command '%s', which is not streaming.
severity = error

message = The priority '%s' is out of bounds. The valid range is [0 - 10].
severity = warn

message = The query has completed, but the earliest time (et) has not yet been set to zero.
severity = warn

message = This command is not supported in a real-time search.
severity = error

message = Replay has finished.
severity = info

message = Operating system thread limit reached; could not run search.
severity = error

message = This search does not support a windowed real-time time range.
severity = error

message = The report scheduler has been disabled by an administrator. Scheduled report and alert searches are not being run, and their actions are not being performed.
action = To restore this service, Contact your Splunk administrator.
severity = warn

message = Search auto-finalized after disk usage limit (%lluMB) reached.
severity = warn

message = Search auto-finalized after %lu events limit reached.
severity = info

message = The search auto-finalized after it reached its time limit: %llu seconds.
severity = info

message = Search bundle throttling is occurring because the limit for number of bundles with pending lookups for indexing has been exceeded. This could be the result of large lookup files updating faster than Splunk software can index them. Throttling ends when this instance has caught up with indexing of lookups.
action = If you see this often, contact your Splunk administrator about tuning lookup sizes and max_memtable_bytes.
severity = warn
capabilities = search
help = message.lookup.preindex_throttling

message = Failed to recover from indexer failure(s). Search results might be incomplete.
severity = info

message = Search finalized.
severity = info

message = The start_time value %lu should be earlier than the end_time value %lu.
severity = error

message = Timed out waiting on peers. If this occurs frequently, the 'results_queue_read_timeout_sec' setting in limits.conf might need to be increased. Search results might be incomplete!
severity = error

message = This search requires events to be in descending time order, but the preceding search does not guarantee time-ordered events.
severity = error

message = The number of search artifacts in the dispatch directory is higher than recommended (count=%lu, warning threshold=%lu) and could have an impact on search performance.
action = Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size.
severity = warn
capabilities = admin_all_objects
help = message.dispatch.artifacts

message = Unable to obtain a valid user context for the dispatch thread.
severity = error

message = Usage: dispatch [options] [remoteserverlist] '['']'.
severity = error

message = The instance is approaching the maximum number of %s searches that can be run concurrently.
severity = warn

message = The cluster is approaching the maximum number of %s searches that can be run concurrently.
severity = warn

message = The search job has failed due to err='%s' for the peer=%s.
action = Check peer status and try running the search again.
severity = error

message = The search job has failed because some peers were not searchable. Results will be incomplete.
action = Check peer status and try running the search again.
severity = error

name = Dispatch Job

message = The search job's workload pool was changed to %s, for sid=%s.
severity = info
help = learnmore.use_workloads

message = Post-process searches cannot contain a generating command. The post-process search '%s' currently generates events.
action = Rewrite the post-process search so that it does not include generating commands in base search '%s'.
severity = error
capabilities = search

message = Cannot specify workload_pool multiple times.
action = Remove the duplicate workload_pool parameter, and re-run the search.
severity = error
help = learnmore.use_workloads

message = Failed to find workload pool: %s.
action = Assign the search to a valid workload pool, and try again.
severity = error
help = learnmore.use_workloads

message = User has insufficient permissions to perform this operation.
action = list_workload_pools and select_workload_pools capabilities are required.
severity = error
help = learnmore.workload_capabilities

message = You are missing the workload pool for the set workload pool action.
action = Provide correct workload_pool parameter, and repeat the set workload pool action.
severity = error
help = learnmore.use_workloads

message = This instance is currently in Detention mode and does not allow running new search jobs. This is likely due to an ongoing rolling restart of the search head cluster.
action = Login to another search head to run your search again.
severity = info
capabilities = search
help =

name = Dispatch Runner

message = Configuration initialization for %s took longer than expected (%llums) when dispatching a search with search ID %s. This usually indicates problems with underlying storage performance.
severity = warn
capabilities = admin_all_objects

name = Dispatch Runner

message = Cannot dispose the currently running search (searchid='%s').
severity = warn

name = Distributed Search Handler

message = Bundle replication to peer named '%s' at %s failed.
severity = error

message = Bundle replication to peer named '%s' at %s succeeded.
severity = info

message = Unable to distribute to the peer named %s at uri %s because this instance is a part of a cluster and distributed search functionality has been disabled.
severity = warn

message = Unable to distribute to peer named %s at uri %s because replication was unsuccessful. ReplicationStatus: %s - Failure info: %s.
action = Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information.
severity = warn

message = Search Head '%s' running Splunk version '%s' does not support distributing searches to the following peers: %s.
severity = warn

message = Unable to distribute to peer named %s at uri=%s using the uri-scheme=%s because peer has status=%s.
action = Verify uri-scheme, connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information.
severity = warn

name = Distributed Bundle Replication Manager

message = The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is %s.
severity = warn
capabilities = admin_all_objects

name = Dump

message = Failed to create dir: %s.
severity = error

message = Failed to create tmp dir: %s.
severity = error

message = Failed to get Mtime of path: %s.
severity = error

message = Failed to get the size of file %s.
severity = error

message = Failed to rename file from %s to %s.
severity = error

message = '%s' is invalid. %s.
severity = error

message = '%s' is required.
severity = error

message = Parent search job '%s' is not running. Stopping...
severity = error

message = Invalid pathname for _dstpath: '%s'. The pathname contains a NULL character.
severity = error

message = Invalid filename for basefilename: '%s'. The filename contains a NULL character.
severity = error

message = '_dstpath' should not contain '..'
severity = error

message = '_dstpath' option '%s' is invalid. Directory names contain reserved strings or characters from the following list: CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9, <, >, :, /, \, |, ?, *.
severity = error

name = Evaluator

message = The destination field is invalid. {} brackets must be closed.
severity = error

message = The '%s' function is unsupported or undefined.
severity = error

message = Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
severity = error

message = The expression is malformed. Expected %s.
severity = error

message = Failed to parse the provided arguments. Usage: eval dest_key = expression.
severity = error

message = The destination key is invalid.
severity = error

message = The expression is malformed.
severity = error

message = The arguments to the '%s' function are invalid.
severity = error

message = The number %s is invalid.
severity = error

message = The operator at '%s' is invalid.
severity = error

message = The expression is malformed. The unary op is invalid.
severity = error

message = The expression is malformed. Expected %c.
severity = error

message = The expression is malformed. An 'AND' term is missing.
severity = error

message = Arguments are missing. Usage: eval dest_key = expression.
severity = error

message = The expression is malformed. A comparison term is missing.
severity = error

message = The expression is malformed. The factor is missing.
severity = error

message = The expression is malformed. An 'OR' term is missing.
severity = error

message = The expression is malformed. A term is missing.
severity = error

message = Type checking failed. '%s' only takes boolean arguments.
severity = error

message = Type checking failed. The '.' operator only takes strings and numbers.
severity = error

message = Type checking failed. The '%s' operator received different types.
severity = error

message = Type checking failed. '%s' only takes numbers.
severity = error

message = Type checking failed. '+' only takes two strings or two numbers.
severity = error

message = The expression is malformed. An unexpected character is reached at '%s'.
severity = error

name = Event Count Processor

message = Failed to add new result.
severity = error

message = Failed to find index '%s'.
severity = error

message = No '%s' key is found in the results.
severity = error

message = Unable to parse '%s'.
severity = error

message = Unable to retrieve '%lu'.
severity = error

message = Unexpected exception found: '%s'.
severity = error

name = Event Type

message = Unsupported event type color=%s.
severity = error

message = The priority field should be a number greater than -1. priority=%s.
severity = error

message = Event type search string cannot be a search pipeline or contain a subsearch.
severity = error

message = The event type name cannot contain the '*' wildcard character.
severity = error

message = Error while parsing event type search: %s. Message: %s.
severity = error

name = Extern Processor

message = The external search command '%s' is disabled in commands.conf.
severity = error

message = Getinfo probe failed for external search command '%s'.
severity = error

message = The external search command '%s' does not exist in commands.conf.
severity = error

message = The Python version '%s' for command '%s' in commands.conf is invalid.
severity = error

message = The type '%s' for command '%s' in commands.conf is invalid.
severity = error

message = Script execution failed for external search command '%s'.
severity = error

message = External search command '%s' returned error code %d. %s.
severity = error

message = Could not find a valid session for external search command '%s'.
severity = error

message = Failed to read Search Results Info file modified by external search command.
severity = error

message = Could not locate the time (_time) field on some results returned from the external search command '%s'.
severity = error

message = The external search command '%s' did not return events in descending time order, as expected.
severity = error

name = Field Render Processor

message = Failed to parse the provided arguments. Usage: fieldformat field = expression.
severity = error

message = The destination field is invalid.
severity = error

message = Arguments are missing. Usage: fieldformat field = expression.
severity = error

name = Fields

message = Invalid field name '%s'.
severity = error

message = Must specify at least one valid field name (can contain wildcards).
severity = error

message = No matching fields exist.
severity = info

name = File Classifier

message = Unable to open '%s'.
severity = warn

message = Error (%s) encountered while getting breaking regex for new unknown type '%s'.
severity = error

message = Error (%s) encountered while getting file type for '%s'.
severity = error

message = Found a good breaking regex (%s) for the new sourcetype '%s' created from %s.
severity = info

message = Found regular timestamps for '%s' before %d.
severity = info

message = Found a regular timestamp prefix for '%s' with '%s'.
severity = info

message = Configuration has a suspiciously high number of sourcetypes (%lu). To prevent ballooning of more source types, the default maxDist has been increased.
severity = warn

message = The file '%s' is invalid. Reason: %s.
severity = warn

message = Not learning file '%s'. %s.
severity = error

message = Attempting to make a new unknown type '%s'. Single-line type: %s.
severity = info

message = Unable to get a good breaking regex for new unknown type '%s'.
severity = info

message = No sourcetype found for '%s'. Ignoring.
severity = error

message = Filename '%s' looks like sjis character encoding. Consider specifying 'CHARSET=sjis'.
severity = warn

message = Only able to read %lu lines from '%s.' %lu lines are required.
severity = warn

message = Training on the type '%s'.
severity = info

message = Unable to convert character set '%s' to UTF8. Using existing content as is.
severity = error

message = The '%s' setting in source-classifier.conf is unknown.
severity = warn

name = File Operator

message = You have insufficient privileges to perform this operation.
severity = error

name = Fillnull Processor

message = You must provide a field name.
severity = error

message = Field '%s' cannot be specified multiple times.
severity = error

message = Could not read file '%s'.
severity = error

name = Find Key Words

message = The label field supplied is invalid. The label field must be a field with integer values.
severity = error

message = Must specify 'labelfield'.
severity = error

message = Eventtyper search is malformed.
severity = error

name = Folderize Operator

message = Folderize requires an 'attr' value.
severity = error

message = Folderize encountered a bad count value '%s' on attribute '%s'.
severity = error

name = Format Processor

message = The ' ' arguments must be specified together or not at all.
severity = error

message = You must provide a 'field' value.
severity = error

message = You must provide a 'lowerfield' value.
severity = error

message = The 'format' command is using only the first %lu (of %lu) results.
severity = warn

message = The 'maxresults' value is out of range. It should be between 0 and %lu.
severity = error

message = You must provide a 'upperfield' value.
severity = error

name = From Processor

message = This search cannot run.
severity = warn

name = General

message = Unable to find the '%s' index.
severity = error

message = Unable to parse the search: %s.
severity = error

name = Geo Stats Processor

message = Binspan string cannot pass verification.
severity = error

message = Invalid latitude and longitudinal bounds.
severity = warn

message = Latitude values must be within the valid range of -90.0 and 90.0.
severity = warn

message = Invalid latitude/longitude and hence result will be skipped.
severity = error

message = Invalid latspan=%f. latspan must be within the valid range of 0.0 and 180.0.
severity = error

message = Invalid longspan=%f. longspan must be within the valid range of 0.0 and 360.0.
severity = error

message = maxclusters argument for geofilter has to be >= %d which is number of bins at lowest zoom level.
severity = warn

message = Invalid maxzoomlevel=%d. Maxzoomlevel must be within the valid range of 0 and 18.
severity = error

message = The split by field %s has a large number of unique values %d. Chart column set will be trimmed to 10. Use globallimit argument to control column count.
severity = warn

message = Invalid search arguments for geostats.
severity = error

message = Multiple split-by/group-by fields not allowed in geoviz when rendering using pie-chart. Use translatetoxy=false.
severity = error

message = Forced to skip results in geostats due to invalid latitude/longitude count='%llu'.
severity = warn

message = binspanlat and binspanlong need to be set together.
severity = error

message = Geostats error while processing subcommand. exception : '%s'.
severity = error

name = Head Processor

message = The argument must be a positive number or a boolean expression.
severity = error

message = The number of results must be a positive number.
severity = error

name = Index Processor

message = The metric value=%s is not valid for source=%s, sourcetype=%s, host=%s, %s. Metric event data with an invalid metric value cannot be indexed.
action = Ensure the input metric data is not malformed.
severity = warn
capabilities = indexes_edit

message = The metric value=%s provided for source=%s, sourcetype=%s, host=%s, %s is not a floating point value. Using a "numeric" type rather than a "string" type is recommended to avoid indexing inefficiencies.
action = Ensure the metric value is provided as a floating point number and not as a string. For instance, provide 123.001 rather than "123.001".
severity = warn
capabilities = indexes_edit

message = The metric name is missing for source=%s, sourcetype=%s, host=%s, %s. Metric event data without a metric name is invalid and cannot be indexed.
action = Ensure the input metric data is not malformed.
severity = warn
capabilities = indexes_edit

message = The index processor has paused data flow. Too many tsidx files in idx=%s bucket="%s" , waiting for the splunk-optimize indexing helper to catch up merging them.
action = Ensure reasonable disk space is available, and that I/O write throughput is not compromised.
severity = warn
help =
capabilities = indexes_edit

message = A metric event with multiple, ambiguous "metric_name" fields has been found for source=%s, sourcetype=%s, host=%s, %s. This event is considered to be malformed. It cannot be indexed.
action = Ensure the input metric data has just one "metric_name" defined.
severity = warn
capabilities = indexes_edit

name = Index Scoped Search

message = The search failed. More than %d events found at time %d.
severity = error

name = Indexer Clustering

message = Failed to add peer '%s' to the master. Error=%s.
severity = error
capabilities = list_indexer_cluster

message = All peers went down during bundle push. The new bundle cannot be applied until the peers return to the cluster. The main cause for all peers going down during bundle push is a very large bundle. In that case, reduce the bundle size and push it again. For more information, search for "configuration bundle issues" in the documentation.
severity = warn
capabilities = list_indexer_cluster

message = The indexer %s is shutdown due to rolling restart and requires manual intervention for restart to proceed.
action = Restart the indexer manually.
severity = info
capabilities = list_indexer_cluster

message = Too many bucket replication errors to target peer=%s. Will stop streaming data from hot buckets to this target while errors persist.
action = Check for network connectivity from the cluster peer reporting this issue to the replication port of target peer. If this condition persists, you can temporarily put that peer in manual detention.
severity = warn
capabilities = list_indexer_cluster

message = Config validation failure reported in peer=%s guid=%s. %s.
severity = error
capabilities = list_indexer_cluster

message = The searchhead is a part of a cluster but distributed search has been disabled.
severity = info
capabilities = list_indexer_cluster

message = Failure to load cluster config (server.conf) Error = %s.
severity = error
capabilities = list_indexer_cluster

message = Failed to make bucket = %s searchable, retry count = %u.
severity = error
capabilities = list_indexer_cluster

message = Failed to register with cluster master reason: %s [ event=addPeer status=retrying %s ].
severity = warn
capabilities = list_indexer_cluster

message = Could not restart peer=%s due to peer status=%s. Skipping this peer from rolling restart entirely.
severity = warn
capabilities = list_indexer_cluster

message = Indexing not ready; fewer than replication_factor peers are up.
severity = warn
capabilities = list_indexer_cluster

message = Master has multisite %s but peer %s a site configuration.
severity = error
capabilities = list_indexer_cluster

message = The search process with sid=%s on peer=%s might have returned partial results due to a reading error while waiting for the peer. This can occur if the peer unexpectedly closes or resets the connection during a planned restart.
action = Try running the search again.
severity = error
capabilities = list_indexer_cluster
help = learnmore.idxc.searchable.upgrade

message = The public key has not been sent to the peer. Cannot add peer %s to the searchhead's peer list.
severity = error
capabilities = list_indexer_cluster

message = Clustering initialization failed. Could not bind to replication port (%u). Ensure that port is not in use.
severity = error
capabilities = list_indexer_cluster

message = Cluster is no longer in rolling upgrade mode.
severity = info
capabilities = list_indexer_cluster

message = Cluster is in rolling upgrade mode.
severity = info
capabilities = list_indexer_cluster

message = Waiting for requisite number of peers to join the cluster.
severity = info
capabilities = list_indexer_cluster

message = One or more replicated indexes might not be fully searchable. Some search results might be incomplete or duplicated during bucket fix up.
action = For more information, check the cluster manager page on the master - splunkd URI: %s.
severity = warn
capabilities = list_indexer_cluster

message = Site '%s' is not on the master's list of available sites. To fix, add it to the 'available_sites' attribute in the master's server.conf file.
severity = error
capabilities = list_indexer_cluster

message = Master has multisite %s but %s the 'multisite' attribute.
severity = error
capabilities = list_indexer_cluster

message = The searchhead is unable to update the peer information. Error = %s.
severity = error
capabilities = list_indexer_cluster

message = Search %s created by %s on the %s app was deferred to run after the searchable rolling restart or upgrade is completed. There are currently %d deferred searches in total.
severity = warn
capabilities = list_indexer_cluster

message = Search %s created by %s on the %s app was skipped during the searchable rolling restart or upgrade.
severity = warn
capabilities = list_indexer_cluster

name = Input CSV

message = Unable to create temporary directory after %lu retries.
severity = error

message = Unable to open file '%s'. error='%m'.
severity = error

message = File '%s' could not be opened for reading.
severity = error

message = Encountered %lu 'inconsistent number of column' errors while reading input.
severity = warn

message = '%s' is not a valid filename.
severity = error

message = You cannot read the file '%s' outside of the secure directory.
severity = error

message = This search does not have a valid job directory.
severity = error

message = Unable to read lookup file '%s'.
severity = error

message = The lookup table '%s' is invalid.
severity = warn

message = The 'max' option value is out of range. It must be between 1 and %lu.
severity = error

message = The option argument '%s' is invalid.
severity = error

message = The 'start' option value is invalid. It must be < %lu.
severity = error

message = The lookup file does not exist.
severity = error

message = Lookup file '%s' might use mac-style line endings, which are unsupported.
severity = warn

message = Successfully read lookup file '%s'.
severity = info

message = '%s' is not a file.
severity = error

message = The input file is missing.
severity = error

message = You have insufficient privileges to input a file from var/run/splunk/csv. You can input a temporary csv file (emitted by outputcsv within the same search) by passing 'dispatch=t' as an option.
severity = error

message = Unable to copy temporary file '%s'. error='%m'.
severity = error

message = Unable to create temporary file '%s'. error='%m'.
severity = error

message = Usage: %s [chunk=] .
severity = error

name = Installed Files Integrity Checker

message = Integrity Checker ran and completed, but claimed it is disabled; this is a bug. As a result, no trustworthy file integrity information can be produced.
severity = error
capabilities = admin_all_objects
help = message.validate.files

message = File Integrity checks found %llu files that did not match the system-provided manifest.
action = Review the list of problems reported by the InstalledFileHashChecker in splunkd.log [[/app/search/integrity_check_of_installed_files?form.splunk_server=%s|File Integrity Check View]] ; potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem.
severity = warn
capabilities = admin_all_objects
help = message.validate.files

message = Integrity Checker returned state OK but was not valid(), this is a bug. As a result, file integrity information is not available.
severity = error
capabilities = admin_all_objects
help = message.validate.files

message = Integrity Checker ran and completed, but claimed it is still in progress; this is a bug. As a result, no trustworthy file integrity information can be produced.
severity = error
capabilities = admin_all_objects
help = message.validate.files

message = Unable to access or parse the contents of manifest file in SPLUNK_HOME directory. As a result, file integrity information is not available.
action = Verify manifest file in SPLUNK_HOME directory is still present, and that the splunk service user context will have read-access.
severity = warn
capabilities = admin_all_objects
help = message.validate.files

name = Geo IP Processor

message = Could not parse 'lang' parameter.
severity = error

name = ISearch Result Infrastructure

message = No user context has been set. You cannot run the search.
severity = error

message = Operating system thread limit reached; search could not be run.
severity = error

message = Failed to create result provider for local peer with the stream '%s'.
severity = error

message = Failed to create result provider for remote peer '%s' at uri '%s' with the stream '%s'.
severity = error

message = Failed to start search on peer '%s'.
severity = warn

name = Join Processor

message = Mismatch in join field(s), left= %lu right=%lu.
severity = error

message = The following join field(s) do not exist in the data.
severity = error

message = Encountered an internal error while sorting the search results.
severity = error

message = Field(s) to selfjoin on are unspecified. %s.
severity = error

message = Usage: join ()* .
severity = error

name = JSON Transaction Processor

message = Action field is required.
severity = error

message = At least one correlation field is required.
severity = error

message = Missing max span.
severity = error

message = Invalid max span.
severity = error

name = Server-side Encryption (SSE) for Remote Storage

message = AWS Key Management Service reported that key_id=%s is disabled, specified for volume=%s. Splunk is unable to upload/download data to/from remote storage. This will affect searches as well as indexing.
action = Check the value for remote.s3.kms.key_id in indexes.conf and ensure this KMS key_id is enabled in AWS.
severity = error
capabilities = edit_encryption_key_provider

message = AWS Key Management Service reported that key_id=%s could not be found, specified for volume=%s. Splunk is unable to upload/download data to/from remote storage. This will affect searches as well as indexing.
action = Check the value for remote.s3.kms.key_id in indexes.conf and ensure this KMS key_id exists in AWS.
severity = error
capabilities = edit_encryption_key_provider

name = KVForm Processor

message = The form '%s' is empty.
severity = warn

message = The form '%s' is unknown.
severity = warn

name = KV Store

message = Cluster has not been configured on this member. %s.
severity = error

message = Cluster is inactive. %s.
severity = error

message = Failed to synchronize configuration with KVStore cluster. %s.
severity = error

message = Failed to sync collection configurations. See splunkd.log for details.
severity = error

message = Failed to connect to KVStore cluster. Authentication error. Check splunkd.log for details.
severity = error

message = Failed to establish communication with KVStore. See splunkd.log for details. %s.
severity = error

message = Could not retrieve local cluster information. %s.
severity = error

message = Failed to start KV Store process. See mongod.log and splunkd.log for details.
severity = error

message = KV Store changed status to failed. %s.
severity = error

message = Failed to start KV Store due to a previously failed migration.
action = Rerun the migration using the "splunk migrate migrate-kvstore" CLI command.
severity = error
capabilities = admin_all_objects
help = message.kvstore.migration

message = Local KV Store has replication issues. See introspection data and mongod.log for details. %s.
severity = error

message = Local instance has state %s.
severity = error

message = KVStore is not available in current build.
severity = error

message = KVStore process terminated.
severity = error

message = KV Store process terminated abnormally (exit code %d, status %s). See mongod.log and splunkd.log for details.
severity = error

name = KV Transformer

message = Extracting fields based on event type is not supported during the main search. See Splunk platform documentation documentation for more information.
severity = debug

message = Failed to find a matching value group for the capturing key_group '%s'. Expecting to find val_group '%s'.
severity = warn

message = IndexOutOfBounds invalid The FORMAT capturing group id: id=%i, transform_name='%s'.
severity = warn

message = Invalid key-value parser, ignoring it, transform_name='%s'.
severity = warn

message = Invalid TOKENIZER '%s' for field '%s': No capturing groups.
severity = warn

message = Invalid TOKENIZER '%s' for field '%s': %s.
severity = warn

message = The transform '%s' is invalid. Its regex has no capturing groups, but its FORMAT has capturing group references.
severity = error

message = Missing FORMAT for: transform_name='%s'.
severity = warn

message = Missing REGEX for: transform_name='%s'.
severity = warn

message = No valid key names found in FORMAT for transform_name='%s'.
severity = warn

message = Failed to properly initialize the key-value parser for transform_name '%s'. You must define least one delimiter.
severity = warn

message = Failed to parse the key-value pair configuration for transform '%s'.
severity = warn

message = Regex '%s' has no capturing groups, transform_name='%s'.
severity = warn

message = Cannot compile RE \"%s\" for transform '%s': %s.
severity = error

name = License Manager

message = Failed to report hourly license usage to AWS Marketplace.
action = Correct before $t%ld to avoid search restrictions by ensuring Splunk instance can reach AWS endpoints. The next metering attempt will be in %d minutes.
severity = warn
capabilities = license_edit

message = Search restrictions in place due to failure to reach AWS endpoints in the last %d hours.
action = Reenable search by ensuring Splunk instance can reach AWS endpoints. The next metering attempt will be in one minute.
severity = warn
capabilities = license_edit

message = Your license has expired as of $t%ld.
capabilities = license_edit

message = Your license will soon expire on $t%ld.
capabilities = license_edit

message = Failed to contact license master: reason='%s', first failure time=%ld ($t%ld).
severity = warn
capabilities = license_edit

message = Daily indexing volume limit exceeded.
action = See [[/manager/search/licenseusage|License Manager]] for details.
severity = warn
capabilities = license_edit

message = Daily indexing volume limit exceeded for %u slaves.
action = See [[/manager/search/licenseusage|License Manager]] for details.
severity = warn
capabilities = license_edit

message = License warning issued within past 24 hours: $t%ld.
action = Refer to the License Usage Report view on license master '%s' to find out more.
severity = warn
capabilities = license_edit

message = Licensing warnings will be generated today.
action = See [[/manager/search/licenseusage|License Manager]] for details.
severity = warn
capabilities = license_view_warnings
help = learnmore.license.features

name = Load Job

message = Cannot find job_id '%s'.
severity = error

message = The savedsearch argument format is invalid. Expecting '%s'.
severity = error

message = There are no events in the artifacts of job_id '%s'.
severity = error

message = Artifacts are unavailable because the job (job_id='%s') is still running.
severity = error

message = Cannot find artifacts within the search time range for savedsearch_ident '%s'.
severity = error

message = Cannot find artifacts for savedsearch_ident '%s'.
severity = error

message = Permission denied. Cannot access artifacts of job_id '%s'.
severity = error

message = Error proxying the search artifact for job '%s'. Either the job does not exist, or there was an error communicating to the searchhead clustering captain.
severity = error

message = The search artifact for job '%s' is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Run the search locally.
severity = error

message = The search artifact for job '%s' is not available because we cannot proxy a job that is not yet completed in searchhead clustering. Wait for the job to finish or run it locally. Job state='%s'.
severity = error

message = Job_id '%s' is invalid. Valid IDs are not reserved filenames, do not start with '.', and contain only letters, numbers, or the following characters: '
severity = error

name = Lookup Operator

message = All of the fields in the lookup table are specified as lookups, leaving no destination fields.
severity = error

message = Lookup '%s' returned with errors. Cannot perform lookup.
severity = error

message = You cannot use timefield as a lookup field.
severity = error

message = Could not find all of the specified destination fields in the lookup table.
severity = error

message = Could not find all of the specified lookup fields in the lookup table.
severity = error

message = Could not find '%s'. It is required for lookup '%s'.
severity = error

message = Could not get the size of file '%s'.
severity = error

message = Could not read lookup table file '%s'.
severity = error

message = Failed to re-open lookup file: '%s'
severity = error

message = The lookup table '%s' is disabled. Contact your system administrator.
severity = error

message = The following csv lookup file for table '%s' is empty: %s
severity = error

message = Error '%s' for conf '%s' and lookup table '%s'.
severity = error

message = Error '%s' for conf '%s' and lookup '%s'.
severity = error

message = Error reading lookup table '%s'.
severity = error

message = event_time_field option is not supported for lookup: '%s' as it is not a temporal lookup.
severity = error

message = Expecting lookup table name as the first argument.
severity = error

message = External command based lookup '%s' is disabled because KV Store is disabled.
severity = error

message = External command based lookup '%s' is not available because KV Store initialization has failed. Contact your system administrator.
severity = error

message = The external-command-based lookup '%s' requires at least 2 distinct fields in '%s'.
severity = error

message = The external-command-based lookup '%s' requires the '%s' key.
severity = error

message = External command based lookup '%s' is not available because KV Store is shutting down.
severity = error

message = External command based lookup '%s' is not available because KV Store initialization has not completed yet.
severity = error

message = External command based lookup '%s' is not available because KV Store status is currently unknown.
severity = error

message = External command based lookup '%s' failed because the selected Python runtime was not found.
severity = error

message = Field names cannot be empty.
severity = error

message = The '%s' filter could not be optimized for search results.
severity = error

message = The '%s' filter could not be verified. It might contain invalid operators, or could not be optimized for search results.
severity = error

message = The lookup input requires a res field.
severity = error

message = The platform does not support H3.
severity = error

message = The lookup input requires a latitude field.
severity = error

message= The lookup input requires a longitude field.
severity = error

message = Assuming implicit lookup table with filename '%s'.
severity = info

message = Error initializing index: '%s'
severity = error

message = Must specify one or more lookup fields.
severity = error

message = '%s' is invalid. It cannot be used for lookup '%s'.
severity = error

message = The invalid comparator '%s' was passed to expandSearch.
severity = warn

message = Could not construct lookup '%s'. See search.log for more details.
severity = error

message = The value for '%s' is invalid. It must be > 0 and <= %lu.
severity = warn

message = The value for '%s' is invalid. It must be >= 0 and <= %lu.
severity = warn

message = Invalid pathname for lookup: '%s'. Pathname contains a NUL character.
severity = error

message = The value for %s is invalid. Assuming %s.
severity = warn

message = Invalid value of %s for lookup: '%s'. Using system default.
severity = warn

message = The value for timeformat '%s' is invalid.
severity = error

message = The value for timeformat is not provided and hence using default time format.
severity = debug

message = KV Store is disabled in this Splunk distribution.
severity = error

message = External lookup table '%s' returned error code %d. Results might be incorrect.
severity = error

message = Failed to find KV store data file: '%s'
severity = error

message = The '%s' KV Store lookup table is empty or has not yet been replicated to the search peer (path used is: %s).
severity = error

message = Unable to perform the lookup. One or more fields required for the lookup are not indexed. If index_fields_list is set for the lookup configuration in transforms.conf, verify that it lists all required fields for the lookup.
severity = error

message = The max_matches value cannot be less than that of min_matches. Setting max_matches = min_matches (%lu).
severity = warn

message = The value for '%s' (%ld) must be >= '%s' (%ld). Reverting to defaults.
severity = warn

message = Missing alias after field '%s' in lookup command.
severity = error

message = The '%s' keyword must be followed by a search clause.
severity = error

message = Lookup %s cannot be used because the configured path to the lookup file contains path separators, which are unsupported. Using %s instead. Lookup files are expected in $SPLUNK_HOME/etc/system/lookups/ or $SPLUNK_HOME/etc//lookups/. Move the lookup file there and reconfigure the "file" setting without path separators.
severity = error

message = Lookup failed for user '%s' because collection '%s' in app '%s' is disabled.
severity = error

message = Lookup failed because collection '%s' in app '%s' does not exist, or user '%s' does not have read access.
severity = error

message = Lookup failed for collection '%s' in app '%s' for user '%s': %s.
severity = error

message = File for lookup table '%s' might be using unsupported mac-style line endings (carriage returns only): %s.
severity = warn

message = Script for lookup table '%s' returned non-zero (%d) for a reverse lookup; assuming reverse lookup is unknown.
severity = error

message = Script for lookup table '%s' returned error code %d. Results might be incorrect.
severity = error

message = The lookup table '%s' does not exist. It is referenced by configuration '%s'.
severity = error

message = Lookup table '%s' is empty.
severity = info

message = Lookup table names cannot be empty.
severity = error

message = The lookup table '%s' does not exist or is not available.
severity = error

message = The '%s' KV Store lookup table is empty or has not yet been replicated to the search peer (path used is: %s).
severity = error

message = Unable to parse event_time_field='%s', check whether it is in epoch format.
severity = warn

message = There were unresolved lookups on lookup table destruction.
severity = warn

message = Command type '%s' is unsupported for lookup '%s'.
severity = error

message = Usage: lookuptest .
severity = error

message = Error using lookup table '%s': CIDR and wildcard matching is restricted to lookup files under the in-memory size limit.
severity = error

name = Manual Detention

message = This search head is in manual detention. It will not run new searches while in detention.
severity = info
capabilities = list_search_head_clustering

name = Map Operator

message = Unable to run query '%s'.
severity = warn

message = The search result count (%lu) exceeds maximum (%lu), using max. To override it, set maxsearches appropriately.
severity = warn

message = Unable to find saved search '%s'.
severity = error

message = Usage: (search="subsearch" | saved_search_name).
severity = error

message = Did not find value for required attribute '%s'.
severity = error

name = Meta Search

message = Invalid metasearch. Rawdata is required for this search.
severity = error

name = Metadata Search Processor

message = Could not retrieve the main value for a row of type '%s'. Skipping.
severity = warn

message = Could not retrieve totalCount value for a row of type '%s'. Skipping.
severity = warn

message = You must specify a 'type' argument to 'metadata', as in 'type=hosts'.
severity = error

message = You have insufficient permissions to get metadata.
severity = warn

message = Windowed real-time mode not supported.
severity = error

message = Invalid 'datatype'. Possible 'datatype' values include 'event' and 'metric'.
severity = error

name = Metrics Processor

message = The append argument is only valid for prestats mode.
severity = error

message = Computed timespan = %s
severity = info

message = Error setting up eval processor for normalized command.
severity = error

message = _normEvalProc invalid in %s.
severity = error

message = Initial expanded filtering search: '%s', original search filter: '%s'.
severity = info

message = Failed to automatically compute an appropriate timespan.
severity = error

message = The mcatalog command does not allow real-time search.
severity = error

message = The mstats command does not allow real-time search with a wildcard '*' aggregation.
severity = error

message = The span argument is invalid for an mcatalog search.
severity = error

message = Missing field list after '%s' keyword.
severity = error

message = Missing rename after 'AS' argument.
severity = error

message = Missing search clause after 'WHERE' keyword.
severity = error

message = Metrics Source Index is not specified for roll up.
severity = error

message = Metrics Target Index is not specified for roll up.
severity = error

message = Index does not exist: %s
severity = error

message = Index is not of type metric: %s
severity = error

message = User does not have permission on specified target index: %s
severity = error

message = Insufficient Privileges - User has no run_mcollect Capability.
severity = error

message = Missing or Invalid timespan: %s
severity = error

message = Timespan specified '%s' is smaller than minimum supported timespan of '%s' seconds
severity = error

message = Invalid aggregate specified: %s
severity = error

message = Dimension list type specified dimension-list-type='%s' is not valid
severity = error

message = Metric list type specified metric-list-type='%s' is not valid
severity = error

message = An invalid aggregate '%s' is specified in metric override option '%s'
severity = error

message = Metric overrides specified metric-overrides='%s' is not in valid format.
severity = error

message = Metrics Catalog Search '%s' to fetch metrics demensions failed. Exception = '%s'
severity = error

message = Invalid timespan: %s
severity = error

message = Cannot filter on 'metric_name' in normalized syntax.
severity = error

message = Cannot filter on the '_timeseries' field.
severity = error

message = Cannot include both normalized and denormalized calculations.
severity = error

message = Cannot use wildcards in mstats renames.
severity = error

message = The following argument can only be applied to real-time search: %s
severity = error

message = The following argument can only be applied to windowed real-time search: %s
severity = error

message = Wildcard arguments are not supported for mstats in prestats mode.
severity = error

message = Failed to properly normalize the following argument: %s
severity = error

message = Mstats normalizing eval search arguments: %s
severity = info

message = Mstats normalizing rename search arguments: %s
severity = info

message = Grouping by %s is not allowed.
severity = error

message = The specified metrics index was not found on the local host. Set a dummy stats processor to render search results properly.
severity = info

message = You do not have access to the specified metrics indexes on the local host.
severity = debug

message = No metrics index specified in %s clause, will search from default metric indexes.
severity = info

message = The WHERE clause time brounds cannot be supported by a real-time search.
severity = error

message = Specify the span argument to group events by time.
severity = error

message = _pStatsProc invalid in %s.
severity = error

message = Failed to connect for real-time.
severity = error

message = Failed to initialize internal real-time window data structure.
severity = error

message = Remote mstats search: %s
severity = debug

message = Repeated groupby field: %s
severity = error

message = Error reading from rtsearch endpoint: error code = %s
severity = error

message = _pRTWindowProc unexpectedly NULL in execute_input
severity = error

message = Successfully retrieved %lu results from RealtimeSearchResultInfrastructure::fetchresults()
severity = debug

message = Initialized tstats with the following arguments: %s
severity = info

message = Internal error, failed to construct tstats internal structure.
severity = error

message = The WHERE clause does not match any events. Returning no results.
severity = warn

name = Mod Alert Processor

message = Alert action "%s" not found.
severity = error

message = Cannot access results_file: '%s'. Permission denied.
severity = error

message = Cannot find a job with the search_id '%s'.
severity = error

message = Invalid 'payload_format' specified ('%s'), expecing 'json' or 'xml'.
severity = error

message = Results path is invalid. Found path separator character: '%s'.
severity = error

message = Results path is invalid. Path points to a directory and not a file: '%s'.
severity = error

message = Results path is invalid. Path points outside of dispatch directory: '%s'.
severity = error

message = Alert script returned error code %s.
severity = error

message = Alert script execution failed.
severity = error

message = Alert action script for action "%s" not found.
severity = error

message = The Python version '%s' for modular alert '%s' in alert_actions.conf is invalid.
severity = error

name = Modular Utility

message = Unable to find correct working directory for modular utility.
severity = error

name = Modular Inputs

message = Unable to initialize modular input "%s" defined in %s: %s.
severity = error
capabilities = edit_scripted

name = Multi KV Test

message = The following file is invalid: %s\n.
severity = error

message = The following option argument is invalid: \"%s\"\n.
severity = error

message = Usage: %s [options]\n.
severity = error

name = Multi KV Transformer

message = The argument '%s' is invalid.
severity = error

message = The forceheader value is invalid. It must be >= 1.
severity = error

message = The last_line value is invalid. It must be >= 1 and > start_line.
severity = error

message = The maxnewresults value is invalid. It must be >= 1.
severity = error

message = The max_header_lookahead value is invalid. It must be >= 1.
severity = error

message = The max_header_line value is invalid. It must be >= 1.
severity = error

message = The option '%s' is invalid.
severity = error

message = The start_line value is invalid. It must be >= 1.
severity = error

message = The '%s' keyword must be specified only once.
severity = error

message = The 'maxnewresults' option to multikv is deprecated. Ignoring option.
severity = info

name = Multi Report Processor

message = At least two search pipelines must be specified.
severity = error

name = MultiSearch Processor

message = Multisearch subsearches might only contain purely streaming operations (subsearch %d contains a non-streaming command).
severity = error

message = At least two searches must be specified.
severity = error

name = Multi Value Processor

message = The tokenizer regular expression is invalid.
severity = error

message = Provide a delimiter value.
severity = error

message = Field '%s' does not exist in the data.
severity = warn

message = A field name is expected.
severity = error

message = Cannot specify both delim and tokenizer options.
severity = error

name = Named Object

message = Missing dataset for data model '%s'.
severity = error

message = Invalid dataset-type '%s'.
severity = error

message = Invalid dataset specifier '%s', expected dataset-type:dataset-name.
severity = error

name = New Series Filter Processor

message = The aggregator field '%s' is invalid.
severity = error

message = The comparator '%s' is invalid.
severity = error

message = The criteria '%s' is invalid.
severity = error

message = The numerical threshold '%s' is invalid.
severity = error

message = The usage is invalid.
severity = error

message = The usage is invalid. Expected usage: %s [options].
severity = error

message = Encountered a setMultiValues() error on the '%s' field.
severity = error

name = New Chart Processor

message = Provide a value for '%s'.
severity = error

message = The ContinuityProcessor processed an event missing the '%s' field.
severity = warn

message = Provide a split-by field value.
severity = error

message = Provide an x-axis field value.
severity = error

message = Only the split-by and x-axis fields can be directly referenced in the eval expression.
severity = error

message = Encountered error '%s' while parsing the eval expression.
severity = error

message = The eval expression has no fields: '%s'.
severity = error

message = You cannot use 'per
*' aggregators in eval expression '%s'.
severity = error

message = The eval expression '%s' must be renamed.
severity = error

message = Complex eval expressions are only supported when you have specified a split-by field.
severity = error

message = A split-by field is expected.
severity = error

message = An x-axis field value is expected after the '%s' keyword.
severity = error

message = An x-axis field value is expected.
severity = error

message = The series aggregator function '%s' is invalid.
severity = error

message = The argument '%s' is invalid.
severity = error

message = The field name '%s' is invalid.
severity = error

message = The specifier '%s' is invalid. It must be in form (). For example: max(size).
severity = error

message = The dynamically evaled field expression '%s' is invalid. 'eval(...)' must have a single expression as an argument.
severity = error

message = The data field '%s' is malformed.
severity = error

message = You must specify data field(s) to chart.
severity = error

message = The following options were specified but have no effect when a split-by clause is not provided.
severity = warn

message = The following options were specified but have no effect when the 'where' clause is given: %s.
severity = warn

message = When you specify a split-by field, only single functions applied to a non-wildcarded data field are allowed.
severity = error

message = The specifier '%s' is specified multiple times and renamed with conflicting field names.
severity = error

message = Series filtering is disabled if a split-by field is used in conjunction with multiple data series.
severity = warn

message = Caught a subcommand exception: %s.
severity = error

name = Outlier Filter Processor

message = The outlierfilter action '%s' is invalid.
severity = error

message = The option to %s '%s' is invalid.
severity = error

message = The outlierfilter param value %f is invalid.
severity = error

message = The outlierfilter type: '%s' is invalid.
severity = error

message = Field '%s' specified multiple times.
severity = error

name = Output CSV

message = Cannot append to a gzipped file.
severity = error

message = '%s' must be a filename, not a path.
severity = error

message = Failed to create directory '%s'.
severity = error

message = Could not create a directory for multi-file output '%s'.
severity = error

message = No results. Created empty file '%s'.
severity = warn

message = No results. Created empty collection '%s'.
severity = info

message = Filenames may not contain '..'.
severity = error

message = Error reading internal file header '%s'.
severity = error

message = The file name '%s' is invalid, absolute paths are not permitted.
severity = error

message = The file name '%s' is invalid.
severity = error

message = This search does not have a valid job directory.
severity = error

message = You have insufficient privileges to output to var/run/splunk/csv. You can output a temporary csv file (that can only be used within the same search) by passing 'dispatch=t' as an option.
severity = error

message = No results. Retaining existing lookup file '%s'.
severity = info

message = A lookup table name or file name is required.
severity = error

message = Found no results to %s to collection '%s'.
severity = warn

message = Found no results to %s to file '%s'.
severity = warn

message = Results written to collection '%s'.
severity = info

message = Results written to file '%s' on serverName='%s'.
severity = info

message = Too many results for memory. Not all results are included in this output.
severity = warn

message = Could not %s to file '%s': %s.
severity = error

message = Could not %s to collection '%s': %s.
severity = error

message = Could not write to the result file '%s'.
severity = error

message = Could not create csv dir.
severity = error

name = Output Lookup

message = You have insufficient privileges to perform this operation.
severity = error

name = Pivot Evaluator

message = Cannot use asterisk in label '%s'.
severity = error

message = Cannot sort using field of type '%s'.
severity = error

message = Cannot split using field of type '%s'.
severity = error

message = Invalid limit type '%s' for sort.
severity = error

message = Cannot get row count for dataset '%s'.
severity = error

message = Cannot use '%s' on field type '%s'.
severity = error

message = Must use non-empty field name for split.
severity = error

message = Pivot requires a base dataset.
severity = error

message = Cannot use equals sign in label '%s'.
severity = error

message = Search exceeds maximum number of rows in a pivot limit filter.
severity = error

message = Cannot filter using '%s' on field type '%s'.
severity = error

message = Pivot Evaluator received and invalid filter type.
severity = error

message = The pivot report JSON was not valid.
severity = error

message = Limit amount is outside the allowed range.
severity = error

message = The pivot report JSON did not specify a valid report.
severity = error

message = Invalid search mode for pivot search string.
severity = error

message = Cannot use Pivot because no data model is loaded.
severity = error

message = User must specify a data model to pivot on.
severity = error

message = Must have non-empty cells for column split.
severity = error

message = Must have non-empty cells or non-empty rows.
severity = error

message = You must specify either 'pivot_json' or 'pivot_search'.
severity = error

message = Cannot use Pivot because no dataset is loaded.
severity = error

message = Cannot use Pivot because no report is loaded.
severity = error

message = Could not parse pivot search. Search appears to be malformed.
severity = error

message = Missing field to apply stats function to in sort.
severity = error

message = Missing field name to sort by.
severity = error

message = Missing stats function to sort by.
severity = error

message = Pivot Evaluator failed to tokenize search '%s'.
severity = error

message = Found multiple data models with name '%s'.
severity = warn

message = Invalid stats function '%s' in cell.
severity = error

name = Preview Generator

message = You have insufficient privileges to perform this operation.
severity = error

message = Cannot parse argument '%s'.
severity = error

message = Cannot run this search in a separate process.
severity = error

message = A file to preview has already been specified, rejecting '%s'.
severity = error

message = A file to preview is required.
severity = error

name = Read Summary Directive

message = Issue occurred with data model '%s'. Issue: '%s' Reason: '%s'.
severity = warn
capabilities = search

message = Failed to parse options. Clearing out read-summary arguments.
severity = warn
capabilities = search

name = Redistribute In Processor

message = The redistribute-in request has an invalid option: %s.

message = The redistribute-in process failed because: %s.

name = Redistribute Out Processor

message = The redistribute-out process has failed because: %s.

message = The redistribute-out process failed. Check search.log for details.

message = An unknown exception occurred during the redistribute-out process.

name = Redistribute Processor

message = Cannot redistribute events that have been aggregated at the search head. Place the redistribute command before transforming commands that do not have a 'by' clause.
severity = error

message = Unable to autodetect redistribute fields for the remote phase of the search. Provide the fields.
severity = error

message = Redundant redistribute detected. Remove the redundant command.
severity = error

message = Invalid argument: '%s'
severity = error

message = To use the 'redistribute' command, the user must have the '%s' capability. Ignoring the 'redistribute' command.
severity = warn

message = Must specify at least one field after 'by'.
severity = error

message = To use the 'redistribute' command, phased_execution_mode must be set to 'multithreaded' or 'auto' in limits.conf. Ignoring the 'redistribute' command.
severity = warn

name = Regex

message = The regex '%s' is invalid. %s.
severity = error

message = Usage: regex (=|!=) .
severity = error

name = Remote Login

message = Remote login disabled by '%s' in server.conf.
severity = error

message = Remote login disabled because you are using a free license which does not provide authentication. To resolve either switch to the forwarder-only license or the enterprise trial license included with the product. To override this and enable unauthenticated remote management, edit the '%s' setting in your server.conf file.
severity = error

message = Remote login has been disabled for '%s' with the default password. Either set the password, or override by changing the '%s' setting in your server.conf file.
severity = error

name = Remote Storage

message = The search process with search_id="%s" may have returned partial results.
action = Try running your search again. If you see this error repeatedly, review search.log for details or contact your Splunk administrator.
severity = error

name = Rename Operator

message = Invalid field name '%s'.
severity = error

message = Wildcard mismatch: '%s' as '%s'.
severity = error

message = Usage: rename [old_name AS/TO/-> new_name]+.
severity = error

message = Multiple renames to field '%s' detected. Only the last one will appear, and previous 'from' fields will be dropped.
severity = warn

name = Replace Processor

message = Could not fill pattern '%s' for string '%s' using matching pattern '%s'.
severity = warn

message = Usage: replace [orig_str WITH new_str]+ [IN field1, field2, ...].
severity = error

message = Wildcards might not have consecutive '*' characters.
severity = error

message = Wildcards and their replacements must have a matching number of '*' characters.
severity = error

name = REST Processor

message = Failed to fetch REST endpoint uri=%s from server %s.
action = Check that the URI path provided exists in the REST API.
severity = error
capabilities = search
help =

message = Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.
severity = warn
help =

name = Rest Search

message = The priority should be in the following range: [0-10].
severity = error

message = The search job's priority was changed to %lu.
severity = info

message = The ttl of the search job was changed to %lu.
severity = info

message = Empty search.
severity = error

message = Failed to locate job status for job=%s.
severity = error

message = Internal server error.
severity = error

message = Invalid action.
severity = error

message = Invalid add_export_offset.
severity = error

message = Invalid add_export_timestamp.
severity = error

message = Invalid add_summary_to_metadata.
severity = error

message = Invalid allow_preview.
severity = error

message = Invalid allow_queue.
severity = error

message = Invalid argument.
severity = error

message = Invalid attachment.
severity = error

message = Invalid auto_cancel.
severity = error

message = Invalid auto_finalize_ec.
severity = error

message = Invalid auto_pause.
severity = error

message = Invalid config.
severity = error

message = Invalid count.
severity = error

message = Invalid spawn_process.
severity = error

message = Invalid earliest_time.
severity = error

message = Invalid email_list.
severity = error

message = Invalid email_results.
severity = error

message = Invalid email_subject.
severity = error

message = Invalid enable_event_stream.
severity = error

message = Invalid enable_lookups.
severity = error

message = Invalid end_time.
severity = error

message = Invalid Events Viewer.
severity = error

message = Invalid exec_mode.
severity = error

message = Invalid export_XML_with_wrapper.
severity = error

message = Invalid field.
severity = error

message = Invalid field_list.
severity = error

message = Invalid force_bundle_replication.
severity = error

message = Invalid generation_ID.
severity = error

message = Invalid geo_bounds_north.
severity = error

message = Invalid geo_bounds_south.
severity = error

message = Invalid geo_lat_field.
severity = error

message = Invalid geo_lon_field.
severity = error

message = Invalid id.
severity = error

message = Invalid index_earliest.
severity = error

message = Invalid index_latest.
severity = error

message = index_latest must be after index_earliest.
severity = error

message = Invalid latest_time: latest_time must be after earliest_time.
severity = error

message = Invalid max_count.
severity = error

message = Invalid max_lines.
severity = error

message = Invalid max_time.
severity = error

message = Invalid message_level.
severity = error

message = Invalid min_freq.
severity = error

message = Invalid negate.
severity = error

message = Invalid now.
severity = error

message = Invalid offset.
severity = error

message = Invalid offset_field.
severity = error

message = Invalid output_mode.
severity = error

message = Invalid output_time_format.
severity = error

message = Invalid parse_only.
severity = error

message = Invalid ignore_parse_error argument.
severity = error

message = Invalid peer.
severity = error

message = Invalid preview.
severity = error

message = Invalid preview_freq.
severity = error

message = Invalid profile.
severity = error

message = Invalid provenance.
severity = error

message = Invalid query.
severity = error

message = Invalid reduce_freq.
severity = error

message = Invalid reload_macros.
severity = error

message = Invalid replay_et.
severity = error

message = Invalid replay_lt.
severity = error

message = Invalid replay_speed.
severity = error

message = Invalid reuse_max_seconds_ago.
severity = error

message = Invalid rt_backfill.
severity = error

message = Invalid rt_blocking.
severity = error

message = Invalid rt_connect_timeout.
severity = error

message = Invalid earliest_time for a real-time search.
severity = error

message = Invalid indexedRealtime.
severity = error

message = Invalid indexedRealtimeOffset.
severity = error

message = Invalid rt_indexfilter.
severity = error

message = Invalid latest_time for a real-time search.
severity = error

message = Invalid rt_maxblocksecs.
severity = error

message = Invalid rt_maximum_span.
severity = error

message = Invalid rt_queue_size.
severity = error

message = Invalid rt_receive_timeout.
severity = error

message = Invalid rt_read_timeout.
severity = error

message = Invalid sample_ratio.
severity = error

message = Invalid sample_seed.
severity = error

message = Invalid adhoc_search_level.
severity = error

message = Invalid search log.
severity = error

message = Invalid search_mode.
severity = error

message = Invalid search_state_msgs.
severity = error

message = Invalid segmentation.
severity = error

message = Invalid server_name.
severity = error

message = Invalid show_incomplete.
severity = error

message = Invalid show_metadata.
severity = error

message = Invalid show_offset.
severity = error

message = Invalid start_time.
severity = error

message = Invalid status buckets.
severity = error

message = Invalid summary_mode.
severity = error

message = Invalid surrounding.
severity = error

message = Invalid sync_bundle_replication.
severity = error

message = Invalid time.
severity = error

message = Invalid timeline.
severity = error

message = Invalid timeline_freq.
severity = error

message = Invalid timeout.
severity = error

message = Invalid timerange.
severity = error

message = Invalid tz.
severity = error

message = Invalid time_format.
severity = error

message = Invalid top_count.
severity = error

message = Invalid truncation_mode.
severity = error

message = The ttl should be a positive integer: %s.
severity = error

message = Invalid use_histogram.
severity = error

message = Invalid value.
severity = error

message = Invalid warn_unused_arguments.
severity = error

message = Search job cancelled.
severity = info

message = Search job finalized.
severity = info

message = Search job results preview disabled.
severity = info

message = Search job results preview enabled.
severity = info

message = Search job paused.
severity = info

message = Search job saved.
severity = info

message = Search job touched.
severity = info

message = Search job continued.
severity = info

message = Search job unsaved.
severity = info

message = The method is not allowed.
severity = error

message = Number of sort_key and sort_dir arguments do not match.
severity = error

message = Missing action.
severity = error

message = You are missing latitude argument for latfield.
severity = error

message = You are missing longitude argument for longfield.
severity = error

message = You are missing south bound.
severity = error

message = You are missing north bound.
severity = error

message = You are missing east bound.
severity = error

message = You are missing west bound.
severity = error

message = You are missing the priority for the set priority action.
severity = error

message = You are missing the ttl argument for the ttl action.
severity = error

message = Your search must be executed in a separate process.
severity = error

message = Only one action per call is allowed.
severity = error

message = Permission denied.
severity = error

message = A real-time search must start with the search command.
severity = error

message = The search id of a real-time search must start with %s, sid=%s.
severity = error

message = Unable to read the job status.
severity = error

message = Unknown action.
severity = error

message = Unknown endpoint.
severity = error

message = Unknown sid.
severity = error

message = The search job terminated unexpectedly.
severity = error

name = REST Typeahead Endpoint

message = Invalid earliest_time.
severity = error

message = Invalid latest_time: latest_time must be after earliest_time.
severity = error

message = Invalid time format.
severity = error

name = Restart Required

message = Splunk must be restarted for changes to take effect.
action = Contact Splunk Cloud Support to complete the restart.
severity = warn
capabilities = restart_reason

message = Splunk must be restarted for changes to take effect.
action = Contact your system administrator to complete the restart.
severity = warn
capabilities = restart_reason

message = Splunk must be restarted for changes to take effect.
action = [[/manager/search/control|Click here to restart from the Manager]].
severity = warn
capabilities = restart_splunkd

name = Required Event Types Directive

message = Failed to retrieve arg '%s'.
severity = warn
capabilities = search

message = Found no existing required event types. Falling back to all event types unless another directive provides valid required eventtypes.
severity = warn
capabilities = search

name = Required Tags Directive

message = Failed to retrieve arg '%s'.
severity = warn
capabilities = search

message = Found no existing required tags. Falling back to all tags unless another directive provides valid required tags.
severity = warn
capabilities = search

name = Rex Command

message = The regex '%s' does not extract anything. It should specify at least one named group. Format: (?...).
severity = error

message = Encountered the following error while compiling the regex '%s': %s.
severity = error

message = Usage: regex [field=] .
severity = error

name = Rollup Processor

message = '%s' is invalid.
severity = error

message = Incorrect format for '%s'.
severity = error

message = Cannot %s policy for index='%s'. The index does not exist.
severity = error

message = Cannot %s policy for index='%s'. This is not a metric index. Rollup policies can be applied only to metric indexes.
severity = error

message = Cannot %s policy for index='%s'. The index is disabled.
severity = error

message = Cannot %s the rollup policy for index='%s'. This rollup policy is disabled. To reenable the policy, go to %s.conf and mark 'disabled=0' under [index:%s] stanza. Then, restart Splunk.
severity = error

message = Will not create the automated scheduled search for index='%s'. Index or policy is disabled.
severity = error

message = Stanza name='%s' is invalid.
severity = error

message = The name of the source index for a rollup policy cannot be an empty string.
severity = error

message = The name of the source index for a rollup policy cannot have leading or trailing spaces.
severity = error

message = Cannot %s policy for index='%s'. This rollup policy already exists.
severity = error

message = Cannot %s policy for index='%s'. It failed to %s the automated scheduled search that creates the rollup summary
severity = error

message = Cannot %s policy for index='%s'. No policy found for this index.
severity = error

message = Proxy failed. %s
severity = error

message = Failed to apply rollup policy. The source index is empty or not specified.
severity = error

message = Failed to apply the rollup policy to index='%s'. That index does not exist.
severity = error

message = Failed to apply the the rollup policy to index='%s'. This is not a metric index. Rollup policies can be applied only to metric indexes.
severity = error

message = Failed to apply the rollup policy to index ='%s'. The index is disabled.
severity = error

message = Failed to apply rollup policy to index='%s'. %s='%s' is not valid.
severity = error

message = Failed to apply rollup policy to index='%s'. One or more rollup summaries must be specified for the rollup policy.
severity = error

message = Failed to apply rollup policy to index='%s'. Multiple rollup summaries with equivalent spans have been specified for target index='%s'.
severity = error

message = Failed to apply rollup policy to index='%s'. %s='%s' is not valid. Modify this setting with one of the following methods: 1. Make a POST operation to the catalog/metricstore/rollup/{index} endpoint to update the '%s' setting. 2. Edit the 'defaultAggregation' setting in %s.conf and restart the system to apply your change.
severity = error

message = Failed to apply rollup policy to index='%s'. The metrics override aggregation function='%s' is not valid for the metric: %s.
severity = error

message = Failed to apply rollup policy to index='%s'. %s='%s' is below the minimum timespan for the searches that build the rollup summaries=%s seconds.
severity = error

message = Failed to apply rollup policy to index='%s'. %s='%s' cannot be cron scheduled.
severity = error

message = Failed to apply rollup policy to index='%s'. %s='%s' does not exist.
severity = error

message = Failed to apply rollup policy to index='%s'. %s='%s' is disabled.
severity = error

message = Failed to apply rollup policy to index='%s'. %s='%s' is not a metric datatype.
severity = error

message = Cannot have multiple values for argument '%s'.
severity = error

name = RTOrder Processor

message = max_buffer_size must be > 0 and <= %lu.
severity = error

message = Invalid buffer_span '%s'.
severity = error

name = Saml

message = Authenticating...
severity = info

message = Saml response does not contain group information.
severity = error

message = Verify the time in the saml response from IDP is in UTC time format.
severity = error

message = Could not parse '%s' time.
severity = error

message = No valid Splunk role found in local mapping.
severity = error

message = Logging out...
severity = info

message = Ensure the configuration in Splunk matches the configuration in the IdP.
severity = error

message = The '%s' field in the saml response from the IdP does not match the configuration.
severity = error

message = Fix the configuration in the IdP to include '%s' in the saml response to complete login successfully.
severity = error

message = The '%s' field is missing in the saml response from the IdP.
severity = error

message = Redirecting after logout...
severity = info

message = The '%s' condition could not be verified successfully. The saml response is not valid.
severity = error

message = Unsupported signature algorithm.
severity = warn

name = Saved Search Auditor

message = The user is missing the following capabilities and therefore cannot run the search as configured: %s. The search will run with the default values for the missing capabilities.
severity = error

name = Saved Search Admin Handler

message = Earliest and latest times should either both start with "rt" or none can.
severity = error

message = Unable to create saved search with name '%s'. A saved search with that name already exists.
severity = error

message = Saved search "%s" cannot be executed because it is disabled.
severity = error

message = Unable to save changes to saved search with name '%s'.
severity = error

message = Cannot parse alert condition. %s.
severity = error

message = Cannot parse time argument '%s': '%s'.
severity = error

message = Real time searches cannot be executed by the scheduler
severity = error

message = Invalid %s="%s".
severity = error

message = Invalid value "%s" for "%s": must be either a duration or a percentage.
severity = error

message = Invalid cron_schedule="%s".
severity = error

message = Invalid value "%s" for "%s": must be one of "default", "higher", or "highest".
severity = error

message = Invalid value "%s" for "%s": must be either "auto" or in the range 0-44640.
severity = error

message = Index name=%s does not exist. The summary index must exist in order for a scheduled search to populate it.
severity = error

message = Latest time must be after earliest time.
severity = error

message = Missing required argument: %s.
severity = error

message = Cannot find saved search with name '%s'.
severity = error

message = No cron schedule specified.
severity = error

message = This scheduled search will not run after the Splunk %s Trial License expires.
severity = warn

name = Metric Alert Messages

message = A metric alert '%s' already exists.
severity = error

message = A metric alert cannot have the same name ('%s') as an existing savedsearch
severity = error

message = A metric alert with name '%s' does not exist.
severity = error

message = Metric alert name cannot be empty for '%s'.
severity = error

message = Metric alert name cannot be longer than 100 chars for '%s'.
severity = error

message = metric_indexes cannot be empty for '%s'.
severity = error

message = metric_indexes cannot have empty index for '%s'.
severity = error

message = You (user='%s') do not have access to metric index '%s' for '%s'. If the current environment is a distributed environment, please make sure that the roles user '%s' has on Search Head add the index '%s' to srchIndexesAllowed.
severity = error

message = Cannot edit/create a metric alert for wildcarded users or applications.
severity = error

message = Metric alert server fails to %s metric alert '%s'.
severity = error

message = Metric alert condition cannot be empty for '%s'.
severity = error

message = Invalid metric alert condition evaluator: must evaluate a condition expression first.
severity = error

message = Failed to parse metric alert condition. condition="%s". error="%s".
severity = error

message = Failed to parse aggregate of metric alert condition. condition="%s". aggregate="%s". error="%s".
severity = error

message = Failed to evaluate metric alert condition. condition="%s". error="%s".
severity = error

message = Failed to parse field in %s. field="%s". %s="%s". error="%s".
severity = error

name = Saved Splunk Processor

message = Unable to find saved search named '%s'.
severity = error

message = Encountered the following error while building a search for saved search '%s': %s.
severity = error

message = Usage: %s [options].
severity = error

name = Saved Splunker

message = Could not assume system context. Search scheduler will not run. Report this to Splunk support.
severity = error

message = Real time searches cannot be executed by the scheduler. Disabling schedule for savedsearch_id="%s".
severity = error

message = Cannot get hostname. Defaulting to localhost.
severity = warn

message = Failed to set user context for saved search with id '%s'. Disabling its schedule.
severity = warn

message = The maximum number of concurrent scheduled searches has been reached (%lu). %lu ready-to-run scheduled searches are pending.
severity = warn

message = The search scheduler is disabled by the license Splunk is using. Scheduled searches that populate a summary index were found, but they will not be executed. This might affect dashboard panels that depend on the summary index. [!/help?location=learnmore.license.features Learn more].
severity = warn

message = Splunk has found %llu orphaned searches owned by %llu unique disabled users.
severity = info

message = %s: Scheduler thread previously started.
severity = error

message = Unknown error in %s.
severity = error

message = Unknown error while processing actions for saved search '%s'.
severity = error

message = Relation '%s' is unknown.
severity = error

name = Script

message = Cannot find program '%s' or script '%s'.
severity = error

message = Could not start child process.
severity = error

message = Deprecated use of '%s'. The script type argument '%s' will be ignored.
severity = warn

message = Could not create the input pipe.
severity = error

message = Maxinputs must be at least %ld, command name="%s".
severity = warn

message = Unable to get an authentication string for the external search command name="%s".
severity = warn

message = You do not have permission to run the '%s' script %s.
severity = error

message = Encountered error while setting up the output pipe.
severity = error

message = Received the following pipe error: %d.
severity = error

message = Encountered the following error while running the '%s' script: %s.
severity = error

message = You cannot run a script (%s) outside of the secure directory.
severity = error

message = Requires at least one argument: [].
severity = error

message = Only Python and Perl scripts are supported.
severity = error

name = Search Factory

message = Unknown search command '%s'.
severity = error
capabilities = search

name = Search Head Clustering

message = The search head cluster captain (%s) is disconnected; skipping configuration replication.
severity = warn
capabilities = list_search_head_clustering
help = learnmore.shc.confreplication

message = Search head cluster member (%s) is having problems pulling configurations from the search head cluster captain (%s). Changes from the other members are not replicating to this member, and changes on this member are not replicating to other members.
action = Consider performing a destructive configuration resync on this search head cluster member.
severity = error
capabilities = list_search_head_clustering
help = learnmore.shc.confreplication

message = Search head cluster member (%s) is having problems pushing configurations to the search head cluster captain (%s). Changes on this member are not replicating to other members.
severity = warn
capabilities = list_search_head_clustering
help = learnmore.shc.confreplication

message = Received an invalid mgmt_uri %s for the search head cluster. This cluster member %s might be in a bad state.
severity = error
capabilities = admin_all_objects
help = message.shc.troubleshooting.raft

message = Search head cluster member has a corrupted raft state.
severity = error
capabilities = admin_all_objects
help = message.shc.troubleshooting.raft

name = Search Head Cluster Deployer

message = The configuration bundle contains the following default apps: %s. %s Do not use the deployer to push default apps to the search head cluster members. Read the topic "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual on for details. %s If you are sure you want to do this, push the configuration bundle again using the "-push-default-apps true" option.
help = learnmore.shc.deployer
severity = warn
capabilities = list_search_head_clustering

name = Search Optimizer

message = Search optimization failed. The search will run as written; however, suboptimal search performance might occur.
severity = info
capabilities = search

name = Search Parser

message = You must provide a macro expression.
severity = error

message = You must provide macro and argument names.
severity = error

message = The macro expression '%s' is invalid. A macro name is required.
severity = error

message = The macro expression '%s' is invalid. %s.
severity = error

message = The macro expression '%s' is invalid. Expected closing ')'.
severity = error

message = The macro expression '%s' is invalid. All arguments must be named or none can be named.
severity = error

message = The name '%s' is invalid. Macro and argument names might only include alphanumerics, '
' and '-'.
severity = error

message = The macro expression '%s' is invalid. The argument list does not match the definition.
severity = error

message = '%s' does not expect any arguments. Ignoring the '%s' conf key.
severity = warn

message = The argument list for macro '%s' is invalid. Expected %s elements.
severity = error

message = Unable to find a definition for macro '%s'. It is expected in the '%s' conf key.
severity = error

message = The search specifies a macro '%s' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
severity = error

message = The argument list for macro '%s' is missing. It is expected in the '%s' conf key.
severity = error

message = The argument list for macro '%s' is invalid. It contains repeated names.
severity = error

message = The definition of macro '%s' is expected to be an eval expression that returns a string.
severity = error

message = Reached maximum recursion depth (%lu) while expanding macros. Check for infinitely recursive macro definitions.
severity = error

message = Error for macro argument expression '%s'. Arguments that start with '(' must end with ')'.
severity = error

message = Macro argument expression '%s' has mismatched parens.
severity = error

message = Mismatched ']'.
severity = error

message = Mismatched '['.
severity = error

message = Missing a closing tick mark for macro expansion.
severity = error

message = Missing a search command before '%c'. Error at position '%u' of search query '%s'.
severity = error

message = Subsearches are only valid as arguments to commands. Error at position '%u' of search query '%s'.
severity = error

message = Cannot run this search as it contains too many nested subsearches. Maximum nested subsearches allowed: %lu.
severity = error

message = The trailing escape character is invalid.
severity = error

message = Unbalanced quotes.
severity = error

message = Encountered the following error while validating macro '%s': %s.
severity = error

message = The validation expression is invalid: '%s'.
severity = error

name = Search Pipeline

message = Encountered an unknown exception while evaluating arguments for command: '%s'.
severity = error

message = Encountered an unknown exception while executing command: '%s'.
severity = error

name = Search Processor

message = Permission denied to index '%s'.
severity = error

message = Field names cannot be empty strings.
severity = error

message = Option '%s' is invalid.
severity = error

message = Invalid option value. Expecting a '%s' for option '%s'.
severity = error

message = Invalid option value. Expecting a '%s' for option '%s'. Instead got '%s'.
severity = error

message = Subsearch_maxout cannot be greater than maxresultrows.
severity = warn

message = Mismatched quotes.
severity = error

message = Mismatched quotes and/or parenthesis.
severity = error

message = Field '%s' should not be specified more than once.
severity = error

message = Option '%s' should not be specified more than once.
severity = error

message = There are no matching indexes that you have permission to access.
severity = error

message = Subsearches of a real-time search run over all-time unless explicit time bounds are specified within the subsearch.
severity = info
capabilities = rtsearch

message = Subsearch evaluated to the following search expression: %s
severity = debug
capabilities = search

message = Subsearch produced %lu results, truncating to maxout %lu.
severity = info
capabilities = search

message = Timed out (%lu secs) while waiting for subsearch results.
severity = error

message = Unknown subsearch failure.
severity = error

name = Search Results

message = Unable to create or write to temporary file '%s'.
severity = error

message = Unexpected error parsing CSV header.
severity = error

message = Encountered an error while reading file '%s'.
severity = error

message = Could not write to file '%s'.
severity = error

message = Unable to ::gzopen() temporary file '%s' for writing.
severity = error

message = Encountered the following gzwrite error: %m.
severity = error

message = The limit has been reached for log messages in info.csv. %lu messages have not been written to info.csv. Refer to search.log for these messages or limits.conf to configure this limit.
severity = error

message = The index into SearchResult is invalid.
severity = error

message = command.%s: output will be truncated at %lu results due to excessive memory usage. Memory threshold of %luMB as configured in %s / [%s] / %s has been reached.
severity = warn

message = Unable to find the results info CSV at %s.
severity = error

message = Unable to parse '%s'.
severity = error

message = Unable to update '%s'; could not rename temporary file '%s': Retried %lu times, period=%lu ms. Internal error: '%s'.
severity = info

message = Unable to update '%s'; could not rename temporary file '%s': Retried %lu times, period=%lu ms. error='%m'.
severity = info

message = Failed to update search metric: '%s', Search Metrics results mightbe incorrect.
severity = error

message = Could not write to new file '%s' in splitFile().
severity = error

name = Set Processor

message = Three arguments are required: [] [+(union) | -(diff) | ^(intersect)] [].
severity = error

message = The set operator is invalid. It must be either +(union), -(diff), or ^(intersect).
severity = error

name = Shape Processor

message = You must provide a field argument.
severity = error

message = The maxresolution value must be between 2 and 50. Defaulting to %d.
severity = error

name = SHC Upgrading

message = Upgrade of this search head cluster is in progress.
severity = info
capabilities = list_search_head_clustering

name = SHPooling Manager

message = Failure to load shpool config (server.conf) Error = %s.
severity = error

message = Failed to register with shpool captain reason: %s [ event=addPeer status=retrying %s ].
severity = warn

message = Search head pool is not ready; fewer than replication_factor peers are up.
severity = warn

message = Search head clustering initialization failed. Could not bind to replication port (%u). Ensure that port is not in use.
severity = error

message = A rolling restart was initiated for peers requiring a restart. But some peers have not heartbeat recently (last %u seconds) and might not yet have advertised restart required to the captain. Such peers might be skipped in this rolling restart and might need to be restarted manually.
severity = warn

name = Simple Log Clustering Processor

message = The threshold must be > 0.0 and < 1.0.
severity = error

message = The countfield name must not be empty.
severity = error

message = The labelfield name must not be empty.
severity = error

message = Reached the maximum number of clusters (%lu). Some results were not clustered.
severity = warn

message = The 'match' type is unknown. Valid values are 'termlist', 'termset', and 'ngramset'.
severity = error

name = Sort Processor

message = Failed to copy file '%s' to '%s' because of: %m.
severity = error

message = The empty string argument is invalid.
severity = error

message = The empty field name in the argument is invalid: %s'.
severity = error

message = There is a mismatched parenthesis in field specifier '%s'.
severity = error

message = You must specify fields to sort.
severity = error

message = Could not open or create file '%s' for writing.
severity = error

message = Failed to read header for internal file '%s'.
severity = error

message = Failed to rename file '%s' to '%s'.
severity = error

message = Could not write to file '%s'.
severity = error

name = SPath

message = Invalid field.
severity = error

message = The path '%s' is not a valid spath location path.
severity = error

message = You have not specified a path. Try using "path=mypath" as an argument to spath.
severity = error

name = Stats Processor

message = reset_after must be a boolean expression.
severity = error

message = The number of wildcards between field specifier '%s' and rename specifier '%s' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum(*).
severity = error

message = Percentile must be a floating point number that is >= 0 and < 100.
severity = error

message = Invalid timespan specified for sparkline.
severity = error

message = reset_before must be a boolean expression.
severity = error

message = Could not rename file '%s' to '%s'.
severity = error

message = Did not properly fill rename pattern '%s'.
severity = warn

message = This search uses deprecated 'stats' command syntax. This syntax implicitly translates '' or '()' to '()', except for cases where the function is 'count'. Use '()' instead.
severity = info

message = Using deprecated stats feature '%s'. Please use '%s' instead.
severity = info

message = You must specify a rename for the aggregation specifier on the dynamically evaluated field '%s'.
severity = error

message = You cannot use multi-function specifiers ('all' or 'default') with dynamically evaluated fields.
severity = error

message = Failed to write to file '%s'.
severity = error

message = The aggregation specifier '%s' is invalid. The aggregation specifier must be in func_name format.
severity = error

message = The argument '%s' is invalid.
severity = error

message = The dynamically evaluated field specifier '%s' is invalid. The field specifier must be non-empty, start with '{', and end with '}'.
severity = error

message = The eval expression for dynamic field '%s' is invalid. Error='%s'.
severity = error

message = Invalid aggregation function for sparkline.
severity = error

message = The rename value is invalid.
severity = error

message = Invalid sparkline specifier.
severity = error

message = time_window must be a valid time span.
severity = error

message = The wildcard field is invalid. It contains consecutive wildcards.
severity = error

message = The streaming window size %lu is invalid (maximum size = %lu).
severity = error

message = You must specify at least one field after 'by'.
severity = error

message = You must specify a field name after 'as'.
severity = error

message = You cannot specify a rename for multi-function specifiers ('all' or 'default').
severity = error

message = The output field '%s' cannot have the same name as a group-by field.
severity = error

message = No events found containing field(s) '%s'.
severity = debug

message = The results directory has not been created: '%s'.
severity = error

message = Sparklines not specific to a field must use the "count" aggregator.
severity = error

message = Corrupt information from pre-stats:
severity = warn

message = Repeated group-by field '%s'.
severity = error

message = %llu duplicate rename field(s). Original renames: %s. Duplicate renames: %s.
severity = error

message = The field name '%s' is invalid. All fields starting with '%s' are reserved for internal use. Rename your field.
severity = error

message = The data in each row is too large to aggregate. Consider increasing max_mem_usage_mb.
severity = error

message = Cannot set global to false when using a time window.
severity = error

message = Cannot set current to false when using a time window.
severity = error

message = time_window can only be used on input that is sorted in time order (both ascending and descending order are ok).
severity = error

name = Stream Search

message = Failed to create a bundles setup with server name '%s'. Using peer's local bundles to execute the search, results might not be correct.
severity = error

message = Streamed search failed to eval %s.
severity = error

message = Streamed search execute failed because: %s.
severity = error

message = Streamed search failed. You have insufficient privileges to run the search.
severity = error

message = Roles did not come in as part of the url.
severity = warn

message = Unable to find a 'user' parameter in the streamed search. Attempting to acquire the user context.
severity = warn

message = Streamed search parse failed because %s.
severity = error

message = Found no server name in the url. Cannot determine the correct context.
severity = error

message = TcpPipe valid is valid after close.
severity = info

name = Streaming Delete Operator

message = You have insufficient privileges to delete events.
severity = error

message = You cannot delete events using a real-time search.
severity = error

name = String Concatenate Processor

message = The last field must be the destination field name.
severity = error

message = Fields cannot be empty.
severity = error

message = The argument '%s' is invalid.
severity = error

message = There are not enough fields. Usage: %s srcfield1 srcfield2 ... srcfieldn dest_field.
severity = error

name = Surrounding Data Operator

message = Could not validate this source. There might be gaps in this data or this data might have been tampered with. See splunkd.log.
severity = warn

message = The following required arguments were not provided to the SurroundingDataOperator: %s.
severity = error

message = Splunk has validated that this data has not been tampered with.
severity = info

message = Detected possible tampering with this source.
severity = warn

message = Could not validate the consistency of this source. There might be gaps in this data.
severity = warn

message = Too many events (> %lu) in a single second.
severity = error

message = Unable to find any surrounding events.
severity = error

message = Unable to parse id '%s'.
severity = error

message = An unknown exception occurred while reading results in the surrounding data processor.
severity = error

message = An unknown exception occurred while verifying the block signature.
severity = error

message = Splunk validated the consistency of this data and found no gaps.
severity = info

name = TCP Output Processor

message = The TCP output processor has paused the data flow. Forwarding to host_dest=%s inside output group %s from host_src=%s has been blocked for blocked_seconds=%ld. This can stall the data flow towards indexing and other network outputs.
action = Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.
severity = warn
help = message.stall.splunktcpout
capabilities = edit_forwarders

name = Time Liner

message = Ignored %lu events because they were after the commit time (%lu).
severity = error

message = Some events cannot be displayed because they cannot be fetched from the remote search peer(s). This is likely caused by the natural expiration of the related remote search jobs. To view the omitted events, run the search again.
severity = error

name = New Series Filter Processor

message = The comparator '%s' is invalid.
severity = error

name = Transaction

message = Transaction option '%s' has been deprecated. Ignoring its value.
severity = warn

message = Some transactions have been discarded. To include them, add keepevicted=true to your transaction command.
severity = info

message = The fields option is invalid when a list of fields is provided in the argument list.
severity = error

message = There must be at least one constraint for finding transactions.
severity = error

message = this.cached_results (%lu) should be >= txn.event_count (%lu). Setting to 0.
severity = warn

message = Could not find alias '%s' in pattern '%s'.
severity = error

message = Field '%s' does not exist in results. It is required for transaction '%s'.
severity = error

message = Transaction '%s' is unknown.
severity = error

message = Wildcards are only supported at the end of transaction names.
severity = error

name = TS Collect Processor

message = Failed to create directory for namespace='%s'.
severity = error

message = Failed to initialize TSIDX directory for namespace='%s'.
severity = error

message = Failed to parse invalid optimize period: '%s'.
severity = error

message = Failed to sync TSIDX directory for namespace='%s' reason='%s'.
severity = error

message = Failed to finish TSIDX event in namespace='%s' errcode=%d.
severity = error

message = Failed to add token in namespace='%s' token='%s' errcode=%d.
severity = error

message = Failed to create TSIDX event in namespace='%s' errcode=%d.
severity = error

message = The tscollect command is deprecated.
severity = warn

name = Tsidx Stats Processor

message = Some minified buckets have been excluded from the search.You can use the include_reduced_buckets=t option of the tstats command to include the results.
severity = warn

message = Reduced buckets were found in index='%s'. Tstats searches are not supported on reduced buckets. Search results will be incorrect.
severity = error

message = Your search results might be incorrect. The tstats command does not support multiple time ranges.
action = Instead, use multiple tstats commands with append mode.
severity = warn

name = TypeaHead Operator

message = Count is a required argument.
severity = error

message = The count value (%s) cannot be greater than the allowed maximum (%s).
severity = warn

message = You do not have privileges to run the typeahead command.
severity = error

name = Type Discoverer

message = Only one optional argument is expected: .
severity = error

message = Too many results to train on all of them. Using only first results.
severity = warn

name = Unified Search

message = Eventtype '%s' does not exist or is disabled.
severity = warn

message = Savedsearch '%s' does not exist or is disabled.
severity = warn

message = You do not have permission to invoke debugging commands.
severity = error

message = Search syntax '%s' is deprecated. Use '%s' instead.
severity = warn

message = Failed to get the search filter for user '%s'.
severity = error
capabilities = search

message = This command only searches event indexes. To search metric indexes, use the mstats command.
severity = error

message = All indexes removed from search due to permission.
severity = warn

message = Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting or calling 866.GET.SPLUNK.
severity = error

message = Your Splunk Light license expired or you have exceeded your license limit too many times. Renew your Splunk Light license by visiting visiting
severity = error

message = metasearch must be specified as the first command.
severity = error

message = Search on most recent data has completed. Expect slower search speeds as we search the reduced buckets.
severity = warn

message = Real-time search is disabled for peer '%s'.
severity = info

message = Real-time search must be specified as the first command.
severity = error

message = You do not have permission to spawn real-time searches.
severity = error

message = RegexException: '%s'.
severity = error

message = The term '%s' contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation.
severity = info
capabilities = search
help =

message = An unknown error occurred while parsing the search.
severity = error
capabilities = search

name = Union Processor

message = Missing arguments. Expecting a list of datasets and subsearches.
severity = error

message = Expected at least 2 datasets, got %lu.
severity = error

message = Invalid argument '%s'. Expecting a list of datasets and subsearches.
severity = error

message = Maximum allowed subsearches is %lu.
severity = error

name = User Limits

message = A system resource limit on this machine is below the minimum recommended value: system_resource = %s; current_limit = %llu; recommended_minimum_value = %llu.
severity = warn
capabilities = admin_all_objects
action = Change the operating system resource limits to meet the minimum recommended values for Splunk Enterprise.
help =

message = This instance is running on a machine that has kernel transparent huge pages enabled. This can significantly reduce performance and is against best practices.
severity = warn
capabilities = admin_all_objects
action = Turn off kernel transparent huge pages using the method that is most appropriate for your Linux distribution.
help =

name = Where Operator

message = The expression is invalid. The result of a 'where' expression must be boolean.
severity = error

name = Workload Manager

message = Failed to read/process default pool in the search category.
severity = error
action = Define the default pool under category search in the [[/manager/system/workload_management|Workload Management UI]] or in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to read/process default pool in the ingest category.
severity = error
action = Define the default pool under category ingest in the [[/manager/system/workload_management|Workload Management UI]] or in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Default search pool cannot be the same as the ingest pool in the general stanza.
severity = error
action = Specify default search pool that is different from the default ingest pool in the general stanza in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Default search pool is not set in the general stanza.
severity = error
action = Specify the default search pool in the general stanza in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Default ingest pool is not set in the general stanza.
severity = error
action = Specify the default ingest pool in the general stanza in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to read/process workload pool = %s.
severity = error
action = Specify a valid workload pool in the [[/manager/system/workload_management|Workload Management UI]] or in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = No workload pools found in the configuration.
severity = error
action = Specify valid workload pool(s) in the [[/manager/system/workload_management|Workload Management UI]] or in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to setup workload pool = %s.
severity = error
action = Validate that both the cpu and mem cgroups for the workload pool on the system are correct.
capabilities = edit_workload_pools
help = learnmore.linux_cgroups

message = Workload category is invalid for pool = %s.
severity = error
action = Specify a valid category which is "search", "ingest" or "misc".
capabilities = edit_workload_pools
help = learnmore.linux_cgroups

message = Failed to read/process workload rule = %s.
severity = error
action = Specify a valid workload rule in the [[/manager/system/workload_management|Workload Management UI]] or in the workload_rules.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to find/process required rule order stanza.
severity = error
action = Define the workload_rules_order stanza with rules in the correct order in the workload_rules.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to read/process workload category = %s.
severity = error
action = Specify correct parameters for workload category in the [[/manager/system/workload_management|Workload Management UI]] or in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to setup workload category = %s.
severity = error
action = Validate that both the cpu and mem cgroups for the workload category on the system are correct.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Workload Category "ingest" and/or "misc" has more than one workload pool defined.
severity = error
action = Define only one workload pool in the "ingest" and "misc" category in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to read duplicate default category pool=%s.
severity = error
action = Define only one default category in a category in the workload_pools.conf file.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = The indexer configuration for workload management is not reflected on disk.
severity = error
action = The workload management configuration has been updated and is operational, but the configuration is not yet reflected on the indexers. For future compatibility, copy the latest workload_pools.conf configuration from a search head to the cluster master and push the configuration to the peer nodes.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Failed to migrate workload management to the latest version.
severity = error
action = The existing configuration might be incorrect. If so, fix the configuration in workload_pools.conf and retry upgrade/restart. Alternatively, delete the old configuration, restart, and add the configuration in the new version. For help, contact Splunk support with the results of running bin/splunk diag.
help = learnmore.configure_workloads

message = The workload pools configuration has some pools defined without a category.
severity = error
action = Define all workload pools with a valid category value.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = Cannot define the workload pool=%s under misc category when the category's weights are 0.
severity = error
action = Change the workload misc category's cpu and memory weights to values greater than 0.
capabilities = edit_workload_pools
help = learnmore.configure_workloads

message = %s Splunk base directory check

message = %s Splunk base directory %s is missing.

message = %s Splunk base directory permissions

message = %s Splunk base directory %s requires read and write permissions.

message = Operating System

message = Operating system must be Linux.

message = Cgroup Version

message = Cgroup must be version 1 and it must be properly mounted.

message = Unit file check

message = Unit file %s is missing. Restart Splunk then rerun preflight checks.

message = Delegate property set to true

message = The 'Delegate' property in the unit file must be set to 'true'. Restart Splunk then rerun preflight checks.

message = Splunk launched under systemd

message = In the unit file, the 'Restart' property must be set to 'always'. The 'ExecStart' property must include '_internal_launch_under_systemd'. Make sure the up-to-date unit file is loaded.

message = The search %s has been running for more than %s in workload pool %s. This search triggered workload rule %s.
severity = info
action = Make sure this search is expected to run in the specified workload pool.
capabilities = edit_workload_rules,list_workload_rules,list_workload_pools,select_workload_pools
help = learnmore.configure_workloads

message = The search %s was moved from workload pool %s to workload pool %s because it triggered workload rule %s.
severity = info
action = Make sure this search is expected to run in the specified workload pool.
capabilities = edit_workload_rules,list_workload_rules,list_workload_pools,select_workload_pools
help = learnmore.configure_workloads

message = The search %s was aborted because it triggered workload rule %s.
severity = info
action = Make sure this search is expected to run in the specified workload pool.
capabilities = edit_workload_rules,list_workload_rules,list_workload_pools,select_workload_pools
help = learnmore.configure_workloads

name = XY Series

message = Wildcard field '%s' cannot be used in xyseries command for xfield or yfield.
severity = error

message = At least one data field must be specified.
severity = error

name = CLILIB Bundle paths

message = Application installation failed because: %s.
severity = error

message = The archive would extract to an absolute path.
severity = error

message = The archive does not contain an application subdirectory.
severity = error

message = The archive contains more than one application subdirectory: '%s' and '%s'.
severity = error

message = Beginning migration of \etc\bundles\%s ...
severity = info

message = Migration of \etc\bundles\%s is complete.
severity = info

message = Omitting the '%s' directory from migration.
severity = info

message = Application '%s' already exists: %s.
severity = info

message = Cleaning up %s.
severity = info

message = Would move '%s'.
severity = info

message = Merging %s into %s.
severity = info

message = Ignoring %s because %s already exists.
severity = info

message = Cannot create %s.
severity = warn

message = Directories in /etc/bundles/ are ignored by Splunk's configuration system:
severity = warn

message = Splunk no longer writes to this file. See $SPLUNK_HOME/etc/system/local.
severity = warn

message = Export is not required for %s.
severity = info

message = Exporting %s.
severity = info

message = Importing %s.
severity = info

message = Failed to copy out application metadata.
severity = error

name = Metric Search

message = You have insufficient privileges to perform this operation.
severity = error

0 Karma

New Member


I cannot connect on that port. But is not routing or firewall. I checked all that already. I don't think Splunkd is punching the hole for that port. It does not show as listening on netstat.

I'm a able to telnet on ports 800 and 8089 without issues, but not on 9997.

I configured the listener via WebUI console maybe it didn't do a good job at opening the port. Is there a way of cheking the splunk config via CLI?
Thank you

0 Karma


Hi ngct2020,
at first a question: when you say that you see the message in your Splunk Enterprise console, are you meaning that you see this message on Universal Forwarder CLI interface or in Splunk web interface?
if on Splunk web interface. means that there's a temporary problem and sometimes logs arrives and sometimes not.
probably you haven't these messeges in Splunk web.

If you have it on Universal Forwarder, this message means that your UF cannot connect with the Indexers, so you have to debug this connection:
at first using Telnet:

telnet indexer_ip 9997

if you cannot connect, you have to check the routes between Domain Controller and Indexers probably there an intermediate firewall or a local firewall active.
i think that you already activated log receinving on Indexers on port 9997 (or another one).

If you can connect with Telnet you have to verify the addressing in you outputs.conf: are you using indexer's hostname or IP address? if hostname, use IP address, maybe there's a problem on DNS resolution.

Then check if there's any message on Splunk console at Splunk startup: to check this run the Splunk start command using cmd instead services.


0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...