According to Splunk Support, this is a bug due to upgrading from version 4.3.x. There is no information whatsoever about what the negative ramifications are due to this bug but our users have reported inconsistent search results while this ERROR was occurring.
"After upgrade from 4.3.x, splunkd.log is reporting a lot of ERROR ProcessDispatchedSearch - PROCESS_SEARCH - Error opening "": No such file or directory. (SPL-63237)""
And support indicates that this is benign so can be ignored.
Thanks somesoni2, but we are not having ntp issues. Support tells us this is a bug.
Should this log message been fixed by now in version 6?
Don't even know -- they told us to just suppress the ERROR which isn't helpful in telling us whether this this is a legitimate issue we should be concerned about or not.....
I'm seeing a number of these errors in a fresh Splunk 6 instance so maybe not only related to an upgrade.
I got single search head and two indexers, was 5.0.4 is now 6.1.1 and seeing lots of those entries. Got ntpd running on all of my splunk servers, so time seems to be ok.
Has anyone got an idea how to debug or solve this issue?
From what I understand from Splunk Support, this is a known and benign error. There's no fix ready at the moment but it can be safely ignored.