Hello everyone,
I'm monitoring my Splunk Enterprise instance and, by looking at splunkd logs both via cli and search through:
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" log_level=ERROR
I find numerous SearchParser errors, namely the following one:
ERROR SearchParser [20709 TcpChannelThread] - Missing a search command before '|'. Error at position '2' of search query '| |'.
How can I trace back to the search that generated such error (either the search or the sid is fine)? Is that "20709" something of interest in this scenario?