Deployment Architecture

Why am I getting an error when using the xmlkv in a search on one of my search heads?

jeffbat
Path Finder

I am trying to use the xmlkv command in a search on one of my search heads and it is returning errors. This had worked in the past so I am not sure what might have changed to start causing the issue.

The search being used is:

sourcetype=CUDL| xmlkv| top Status

The error that I am getting is:

[INDEX01] Streamed search execute failed because: Error in 'xmlkv' command: Cannot find program 'xmlkv' or script 'xmlkv'.
[INDEX02] Streamed search execute failed because: Error in 'xmlkv' command: Cannot find program 'xmlkv' or script 'xmlkv'.
[INDEX03] Streamed search execute failed because: Error in 'xmlkv' command: Cannot find program 'xmlkv' or script 'xmlkv'.

The setup we have is a non-clustered search head which is reading data from a 3 node set of clustered indexers.

All of our servers are running on Windows OS and Splunk Enterprise 6.6.3.

I have other search heads that connect to the same backend indexers for pulling data, and when executing the same command on them; the data returns as expected.

So I am thinking this is some issue on the search head triggering the errors, like a permission or something but I cannot find anything that is different from the other search heads.

Any ideas on what might be set incorrectly?

Tags (3)
0 Karma
1 Solution

jeffbat
Path Finder

That was the issue. We had adjusted what goes in the replication bundle and it was not sending over the scripts.

Adjusted that part and sure enough it is working fine once again.

Thanks.

(I would mark this as the correct answer but for some reason it is not showing me that option)

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here you go (converted my comment to answer so that you can close the question).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...