Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I trace back to the search that generated splunkd.log searchParser errors?

lorenzo
New Member
‎06-07-2022 03:32 AM

Hello everyone,

I'm monitoring my Splunk Enterprise instance and, by looking at splunkd logs both via cli and search through:

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" log_level=ERROR

 

I find numerous SearchParser errors, namely the following one:

ERROR SearchParser [20709 TcpChannelThread] - Missing a search command before '|'. Error at position '2' of search query '| |'.

 

How can I trace back to the search that generated such error (either the search or the sid is fine)? Is that "20709" something of interest in this scenario?

Labels (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...