Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I intermittently getting "no results found"

CaptainHook
Communicator
‎12-01-2016 10:37 AM

Has anyone run up against an issue where you're intermittently getting a "no results found" on any search in their environment? If so, were you able to determine what was causing the issue?

As stated the issue is intermittent and to add to the complexity, I have noticed that one user may return results while another user cannot for the same search at the same time. (We are currently using SH pooling with 2 Searchheads). Nothing has been changed with the user roles prior to the issue surfacing and it has not been identified specifically to one or the other search heads.

Any thoughts and/or areas to focus on would be greatly appreciated. Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

CaptainHook
Communicator
‎01-20-2017 05:47 AM

We are using search head pooling and it was determined that the authorize.conf file had a variation from one search head to the other, causing contention. Once the authorize.conf was updated to match and the search head restarted the issues resolved.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

CaptainHook
Communicator
‎01-20-2017 05:47 AM

We are using search head pooling and it was determined that the authorize.conf file had a variation from one search head to the other, causing contention. Once the authorize.conf was updated to match and the search head restarted the issues resolved.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎12-01-2016 12:00 PM

This could be a few things:

  • Users are different roles. One role has access to the index the data lives in while the other doesn't.
  • Role access definition is different between the two search heads - even if they are using same SHP, there could be system/local config that is not the same.

In both scenarios, using btool should show you the access. Run this on both search heads and look for differences in the properties srchIndexesAllowed, srchIndexesDefault, srchFilter for the role and the roles it importRoles from:

$SPLUNK_HOME/bin/splunk btool authorize list --debug
0 Karma
Reply
Solved! Jump to solution

CaptainHook
Communicator
‎12-01-2016 06:39 PM

Thanks Burch. I have compared the roles for our system/local as you have suggested and I am not seeing any major discrepancies within the roles. This is something that I had looked at in the GUI beforehand and we did have a slight difference within the srchIndexesAllowed. I have updated those to match (just to keep in uniform), but the issue seems to be more than a role issue.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎12-02-2016 05:43 AM

Aight. Would you be able to show two examples (working and not working)? Keep the corporate stuff blurred but show the search string, time span, and job inspector heading that shows the # of results and events found as well as other errors and warnings.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...