Deployment Architecture

Multisite Distributed Search: Why am I getting search head error "Encountered an error deserializing SearchResultsInfo from Results Stream header"?

andrearodrigues
Explorer

Hi,

In a multisite distributed search environment with 1 search head and 4 indexers, it seems that the Search Head has difficulties to retrieve answers from the different indexers. Found this error in the search result of the search head :

ERROR SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.

Anybody knows if it linked and how to fix it?
Splunk Entreprise 6.3.1

andrearodrigues
Explorer

Hi,

Update :

We noticed that issue also happens when performing search on the _audit index !! As you can see below only 3 of the 4 indexers retreive informations

alt text

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I found an open bug ticket with similar symptoms. Please open a case with Splunk support and provide a diag from your search head and at least one of your indexers.

andrearodrigues
Explorer

Hi,

Case opened with Splunk on this issue. Indexers randomly missing when performing search form the SH on various index. It seems to be linked with this error, moreover we don't have it in the search.log when all indexers are displayed in the splunk-server field (i.e for a search with no problem).

0 Karma

pj
Contributor

Is this a bug? What is the SPL code? I am seeing these errors in a large environment I am currently working with. It is also running 6.3.1. Thanks. It appears to jam the search, then after a number of seconds it then continues and results are displayed.

0 Karma

BP9906
Builder

Ditto, Saw it on an adhoc search and took too long to respond on the SHC.

04-07-2016 07:37:44.753 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=deindexer in 0.112000 seconds
04-07-2016 07:37:44.755 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=irindexer1 in 0.002000 seconds
04-07-2016 07:37:44.757 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=irindexer2 in 0.002000 seconds
04-07-2016 07:37:44.757 INFO UserManager - Setting user context: bp9906
04-07-2016 07:37:44.757 INFO UserManager - Done setting user context: NULL -> bp9906
04-07-2016 07:37:44.761 INFO DispatchThread - Disk quota = 10485760000
04-07-2016 07:37:45.941 ERROR SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.
04-07-2016 07:37:45.943 INFO DispatchThread - Generating results preview took 1 ms
04-07-2016 07:37:47.542 INFO DispatchThread - Generating results preview took 1 ms
04-07-2016 07:37:49.510 INFO DispatchThread - Generating results preview took 1 ms
04-07-2016 07:37:51.700 INFO DispatchThread - Generating results preview took 1 ms
04-07-2016 07:37:52.770 INFO DispatchThread - Generating results preview took 1 ms
04-07-2016 07:37:53.844 INFO DispatchThread - Generating results preview took 1 ms
04-07-2016 07:37:55.042 INFO DispatchThread - Generating results preview took 1 ms
04-07-2016 07:38:01.782 INFO DispatchThread - Generating results preview took 1 ms

0 Karma

ben_leung
Builder

plus 1; where is the SPL code to follow up on?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...