After upgrading from 7.0.3 to 7.1.0 longer searches will be auto-finalized!
So most results will not be correct because not all events will be used for a given timerange.
Example: (All time search, no config changes in disk quotas done)
| search source "unitstatus" => 1.099.140 events with message 'Search auto-finalized after disk usage limit (0MB) reached. '
| search source "unitstatus" | stats count => 1.542.614 eventcount with message 'Search auto-finalized after disk usage limit (0MB) reached. '
| metadata type=sources index=* | where source="unitstatus" | fields + totalCount => 2.671.141 count without message
This happens with ALL searches, i was able to test. The diskquota in the FREE version is promised to be not limited.
It happens on every Upgradeinstallation with V7.1.0.
What did i do wrong?
7.1.2 update works for me too. 🙂
Tested the issue with V7.1.2.
It seems to be fixed.
I'm happy. 🙂
7.1.2 update works for me too. 🙂
thank's !
This appears to be fixed as of 7.1.2 as it now works in the situation I was having a problem with.
7.1.2 is also working again for me.
Downgrading from 7.1.1 to 7.0.4 fixed this issue for me.
Yes, the problem is with 7.1.0 and 7.1.1 not with 7.0.X.
I wonder why there is no quick fix yet because the 7.1.0 and 7.1.1 are completely unusable (at least for me).
Its not an issue with a seldom used feature but with ALL searches (with many events) as described above.
Still hoping for a solution.....
@xpac This is definitely still a problem in Splunk 7.1.1
It happens on all searches with enough time on them, not just realtime.
Please fix
I don't do fixes, I just summarized that this behavior has been noticed multiple times and that $SplunkPeople have confirmed that this shouldn't happen. I don't know any details about a fix, sorry.
uninstall and back to 6.6.7 with an enterprise dev licence solve the problem.
But installing 7.1 or upgrading to 7.1 open the door to the bug.
I hope 7.2 or more will be a solution 🙂
Version 7.0.3 did also not show the problem. May be it has to do with the usermanagement extensions, they implemented in 7.1
Still an issue in the new 7.1.1 version. This is very disappointing!
I tried to uninstal and reinstal everything (no more opt/splunk directory). and... I still have the error.
So this happens also with a fresh install using the Enterprise trial license?
Not good.
It probably should become a highlighted issue.
trial converted in dev for my case.
But my old free licence is recreated during the instal. I don't know where is the information that I need to erase to do a real fresh start on Ubuntu.
another particular case in my lab machine is that for safety reason it's not connected to the net. Is it youre case too ? I've made the update using an USB key.
Mine is also not connected to the internet. Should not matter.
I've the same bug coming from a 6 free version with 3 violations to a 7.1 developper license.
The hash of my free license is :
hash FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
is_unlimited False
label Splunk Free
I can't remove it.
Is it the same for you ?
Have you try to set up an authorize.conf file ?
*1. [role_Administrator]
2. srchDiskQuota = 1000000*
I have right problem on my lab machine for the moment and can't test this fix.
I have the same hash as you.
I've tested a similar quota configuration before, retested yours now and got no success.
I think it is a very severe issue. Searches with many events simply deliver incorrect results regardless of quotas or timerange settings!
I don't have much helpful to add, other than to confirm this issue is present in one of my environments too.
Log shows (trimmed):
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt_1526334389.764 Search finalized.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - sid:rt_1526334389.764 Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:39.773 INFO SearchStatusEnforcer - State changed to FINALIZING due to: Search auto-finalized after disk usage limit (0MB) reached.
05-14-2018 16:46:41.917 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='rt_1526334389.764', username='admin')