Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WARN StreamedSearch - Could not find bundles for search head provided checksum=

rphillips_splk
Splunk Employee
Splunk Employee
‎03-10-2015 03:18 PM

The message: WARN StreamedSearch - Could not find bundles for search head provided checksum=xxx keeps popping up on one search head in a search head pool from all search peers anytime a search (basic or complex) from that search head is initiated. Verified that all search heads, nfs server and indexers are synchronized to the same ntp server.

SPLUNK VERSION:
VERSION=6.1.3
BUILD=220630
PRODUCT=splunk
PLATFORM=Linux-x86_64

Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎03-10-2015 03:37 PM

I recently encountered this issue and did not see any answers on how to resolve this message other than check ntp sync. but what if ntp is already in sync between search heads, nfs and indexers?

-check status of your search peers from the search head throwing the WARN message and see if any are in a failed state.
settings> distributed search> Search peers

(in this case one of the indexers had replication status of failed)

Although not a sophisticated answer this is what was done to correct / stop the message from occurring:

  • restart splunk on the indexer that had replication status of failed
  • restart splunk on the search head throwing the WARN message
  • verify the indexer replication status is successful via the Search Head GUI >settings> distributed search> Search peers

to restart splunk from command line:
$SPLUNK_HOME/bin
./splunk restart

subsequently another set of messages (below) suspected to be related to the problem we were seeing also cleared:

ERROR DistBundleRestHandler - Problem untarring file: /opt/splunk/var/run/searchpeers/xxx.bundle

WARN DistBundleRestHandler - There was a problem renaming: /opt/splunk/var/run/searchpeers/xxx.tmp -> /opt/splunk/var/run/searchpeers/xxx: Directory not empty

View solution in original post

Reply
Solved! Jump to solution

rsimmons
Splunk Employee
Splunk Employee
‎05-04-2015 05:58 AM

This was a known issue (SPL-97601) in bundle replication where skewed modtimes on temporary bundle files cause premature reaping and errors in distributed search. The workaround is to fix clock skew between indexers and NFS server hosting $SPLUNK_HOME/var/run/searchpeers. The issue has also been resolve in the latest release of Splunk.

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎03-10-2015 03:37 PM

I recently encountered this issue and did not see any answers on how to resolve this message other than check ntp sync. but what if ntp is already in sync between search heads, nfs and indexers?

-check status of your search peers from the search head throwing the WARN message and see if any are in a failed state.
settings> distributed search> Search peers

(in this case one of the indexers had replication status of failed)

Although not a sophisticated answer this is what was done to correct / stop the message from occurring:

  • restart splunk on the indexer that had replication status of failed
  • restart splunk on the search head throwing the WARN message
  • verify the indexer replication status is successful via the Search Head GUI >settings> distributed search> Search peers

to restart splunk from command line:
$SPLUNK_HOME/bin
./splunk restart

subsequently another set of messages (below) suspected to be related to the problem we were seeing also cleared:

ERROR DistBundleRestHandler - Problem untarring file: /opt/splunk/var/run/searchpeers/xxx.bundle

WARN DistBundleRestHandler - There was a problem renaming: /opt/splunk/var/run/searchpeers/xxx.tmp -> /opt/splunk/var/run/searchpeers/xxx: Directory not empty

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...