Getting Data In

"Returned partial results" error message

New Member

Indexer Clustering: The search process with sid=rt_md_1533830226.207365 on peer=XXXXXX may have returned partial results due to a reading error while waiting for the peer. This can occur if the peer unexpectedly closes or resets the connection during a planned restart. Try running the search again. Learn more.

0 Karma


were you able to fix this issue? if yes, please share solution. Thanks.

0 Karma

Esteemed Legend

If you cannot talk to all of your defined search peers, then you will get this message. Go to Config -> Distributed Search -> Search Peers and you will see that one is sick or at some other non-Healthy value. Sometimes the problem can be resolved by deleting and re-peering.


The error message says exactly what it means. If you try running the search repeatedly and keep getting this issue, then you may have an error in the connection path. For example, if you are on a multi-site clustered system, then perhaps the VPN link to the other site is wobbly, or perhaps some firewall in between is messing with the connection. Or, perhaps it is exactly what is says it might be, and the indexer restarted during the time that the search was running.

If this is happening to a job consistently at night, but not when you rerun during the day, try moving the job forward or backward to avoid the time that the indexer in question goes wonky.

In any case, this is not generally going to be a problem with your SPL (your search), rather it is some kind of problem with the architecture of your cluster or the timing of the job, relative to maintenance windows. See your system admins to ask them what they think it might be.

0 Karma


What is your question?

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: CFP Site: CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...