Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: reports are failing in search head cluster
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reports are failing in search head cluster
I see below error message in one of my search head cluster,can you please assst me
08-10-2019 12:01:16.072 +0100 WARN SearchOperator:kv - Could not find a transform named REPORT-apache_access
08-10-2019 12:01:16.080 +0100 WARN SearchOperator:kv - Could not find a transform named REPORT-apache_access
08-10-2019 12:01:16.320 +0100 WARN SavedSearchAdminHandler - endpoint="/saved/searches//history" action="skipping" reason="failed to proxy savedsearches ::handleHistoryAction request to captain"
08-10-2019 12:01:23.638 +0100 INFO TcpOutputProc - Closing stream for idx=10.164.254.134:9997
08-10-2019 12:01:23.639 +0100 INFO TcpOutputProc - Connected to idx=10.164.254.135:9997, pset=0, reuse=0. using ACK.
08-10-2019 12:01:37.862 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD5ab2a184ffec4b19a_958891719.stash_new'
08-10-2019 12:02:09.222 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD537aebdf9f35de752_1536652306.stash_new'
08-10-2019 12:02:09.549 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD50129d34a488b37c7_432050352.stash_new'
08-10-2019 12:02:09.907 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD5c65efd3d46db79aa_651667386.stash_new'
08-10-2019 12:02:10.159 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD5d9a1174514df29d8_405898720.stash_new'
08-10-2019 12:02:10.160 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD586fb6099b3dba69f_1424866006.stash_new'
08-10-2019 12:02:10.397 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD56c295d3c98313ba5_350864840.stash_new'
08-10-2019 12:02:11.365 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD5ec465cd2d814b395_1055043170.stash_new'
08-10-2019 12:02:13.460 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD5c06e288102cb9335_321811524.stash_new'
08-10-2019 12:02:17.655 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD53302a8670bea60e2_708923054.stash_new'
08-10-2019 12:02:19.692 +0100 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/RMD51e7c7f7a3053d236_1169782388.stash_new'
08-10-2019 12:02:23.433 +0100 INFO TcpOutputProc - Closing stream for idx=10.164.254.135:9997
08-10-2019 12:02:23.433 +0100 INFO TcpOutputProc - Connected to idx=10.164.254.134:9997, pset=0, reuse=0. using ACK.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can run following on Splunk CLI to determine where is that record:
splunk cmd btool transforms list --debug
This should point you where is that file. I wanted to note also, having this frequent inputs from SHC via search , and as batch input,
may cause you some performance issues in your cluster too. More like freezing search heads.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check all of your transforms.conf files for "REPORT-apache_access". It might be in a disabled app.
If this reply helps you, Karma would be appreciated.
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
