Getting Data In

"Returned partial results" error message

shivanandbm
Explorer

Indexer Clustering: The search process with sid=rt_md_1533830226.207365 on peer=XXXXXX may have returned partial results due to a reading error while waiting for the peer. This can occur if the peer unexpectedly closes or resets the connection during a planned restart. Try running the search again. Learn more.

0 Karma

dm1
Contributor

were you able to fix this issue? if yes, please share solution. Thanks.

0 Karma

woodcock
Esteemed Legend

If you cannot talk to all of your defined search peers, then you will get this message. Go to Config -> Distributed Search -> Search Peers and you will see that one is sick or at some other non-Healthy value. Sometimes the problem can be resolved by deleting and re-peering.

DalJeanis
SplunkTrust
SplunkTrust

The error message says exactly what it means. If you try running the search repeatedly and keep getting this issue, then you may have an error in the connection path. For example, if you are on a multi-site clustered system, then perhaps the VPN link to the other site is wobbly, or perhaps some firewall in between is messing with the connection. Or, perhaps it is exactly what is says it might be, and the indexer restarted during the time that the search was running.

If this is happening to a job consistently at night, but not when you rerun during the day, try moving the job forward or backward to avoid the time that the indexer in question goes wonky.

In any case, this is not generally going to be a problem with your SPL (your search), rather it is some kind of problem with the architecture of your cluster or the timing of the job, relative to maintenance windows. See your system admins to ask them what they think it might be.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your question?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...