Solved: Re: Splunk 7.1.0 upgrade of FREE version finalizes...

Wobe · ‎04-27-2018

After upgrading from 7.0.3 to 7.1.0 longer searches will be auto-finalized!
So most results will not be correct because not all events will be used for a given timerange.

Example: (All time search, no config changes in disk quotas done)
| search source "unitstatus" => 1.099.140 events with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| search source "unitstatus" | stats count => 1.542.614 eventcount with message 'Search auto-finalized after disk usage limit (0MB) reached. '

| metadata type=sources index=* | where source="unitstatus" | fields + totalCount => 2.671.141 count without message

This happens with ALL searches, i was able to test. The diskquota in the FREE version is promised to be not limited.
It happens on every Upgradeinstallation with V7.1.0.

What did i do wrong?

Wobe · ‎07-17-2018

Tested the issue with V7.1.2.
It seems to be fixed.

I'm happy. 🙂

View solution in original post

justodaniel · ‎08-02-2018

7.1.2 update works for me too. 🙂

Wobe · ‎07-17-2018

Tested the issue with V7.1.2.
It seems to be fixed.

I'm happy. 🙂

splunkLPN · ‎07-17-2018

7.1.2 update works for me too. 🙂

thank's !

worshamn · ‎07-15-2018

This appears to be fixed as of 7.1.2 as it now works in the situation I was having a problem with.

schultemn · ‎07-15-2018

7.1.2 is also working again for me.

matejkaj · ‎07-03-2018

Downgrading from 7.1.1 to 7.0.4 fixed this issue for me.

Wobe · ‎07-03-2018

Yes, the problem is with 7.1.0 and 7.1.1 not with 7.0.X.

I wonder why there is no quick fix yet because the 7.1.0 and 7.1.1 are completely unusable (at least for me).

Its not an issue with a seldom used feature but with ALL searches (with many events) as described above.
Still hoping for a solution.....

cgoudie · ‎05-28-2018

@xpac This is definitely still a problem in Splunk 7.1.1

It happens on all searches with enough time on them, not just realtime.

Please fix

xpac · ‎05-29-2018

I don't do fixes, I just summarized that this behavior has been noticed multiple times and that $SplunkPeople have confirmed that this shouldn't happen. I don't know any details about a fix, sorry.

splunkLPN · ‎05-28-2018

uninstall and back to 6.6.7 with an enterprise dev licence solve the problem.
But installing 7.1 or upgrading to 7.1 open the door to the bug.
I hope 7.2 or more will be a solution 🙂

Wobe · ‎05-29-2018

Version 7.0.3 did also not show the problem. May be it has to do with the usermanagement extensions, they implemented in 7.1

kjetilho · ‎05-24-2018

Still an issue in the new 7.1.1 version. This is very disappointing!

splunkLPN · ‎05-23-2018

I tried to uninstal and reinstal everything (no more opt/splunk directory). and... I still have the error.

Wobe · ‎05-23-2018

So this happens also with a fresh install using the Enterprise trial license?
Not good.
It probably should become a highlighted issue.

splunkLPN · ‎05-23-2018

trial converted in dev for my case.
But my old free licence is recreated during the instal. I don't know where is the information that I need to erase to do a real fresh start on Ubuntu.

splunkLPN · ‎05-15-2018

another particular case in my lab machine is that for safety reason it's not connected to the net. Is it youre case too ? I've made the update using an USB key.

Wobe · ‎05-15-2018

Mine is also not connected to the internet. Should not matter.

splunkLPN · ‎05-14-2018

I've the same bug coming from a 6 free version with 3 violations to a 7.1 developper license.

The hash of my free license is :
hash FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
is_unlimited False
label Splunk Free

I can't remove it.
Is it the same for you ?

Have you try to set up an authorize.conf file ?

*1.   [role_Administrator]
2.    srchDiskQuota = 1000000*

I have right problem on my lab machine for the moment and can't test this fix.

Wobe · ‎05-14-2018

I have the same hash as you.

I've tested a similar quota configuration before, retested yours now and got no success.

I think it is a very severe issue. Searches with many events simply deliver incorrect results regardless of quotas or timerange settings!

schultemn · ‎05-14-2018

I don't have much helpful to add, other than to confirm this issue is present in one of my environments too.

Log shows (trimmed):

05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt_1526334389.764 Search finalized.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt_1526334389.764 Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - State changed to FINALIZING due to: Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:41.917 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='rt_1526334389.764', username='admin')

Splunk 7.1.0 upgrade of FREE version finalizes searches with message ' Search auto-finalized after disk usage limit (0MB) reached. '

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability