Reporting

Encountering an error while I try to run my saved search

rmuraly
Explorer

My Splunk Version is 6.5.1 and I get this error while I try to run my saved search. Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin_admin...\prereport_84cf67ffc992ebfa_0.csv.gz'.

When I try to copy the search into a new search window and try running it, it works fine. I am stuck on this issue from the last couple of days . Any help would be great.

My Saved search :
index="entitydata_1_2_" ( kpr=RKT_Call_Finished OR kpr=LKT_Call_Setup OR kpr=MRDF_CallSetup)
|foreach * [rex field=<> mode=sed "s/{|}//g"]
|eval SetupFinishTime = if (kpr="RKT_Call_Finished",creationDate , null)
|eval EntitiesAttempted =EntitiesCount
|transaction GlobalID maxspan=10000m
|eval InitialDirection=if (kpr="LKT_Call_Setup" ,InitialDirection,null)
|eval LKTCallSetupExists = if (kpr="LKT_Call_Setup" ,"YES","NO")
|fields kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection, LKTCallSetupExists,
|rename EntityNum as InitialEntityNum
|eval entNum = InitialEntityNum |join type=Left entNum [| search index=entity_sum_1_2_
key=tcds_1_2_entity_feed | search [|inputlookup customer.csv | search [| search index="entitydata_1_2_*" kpr=RKT_Call_Finished | rename source as Source | return Source] | rename Customer as customer | return customer]| rename entityName as name |fields entNum , name,tfdid,entityID]
| table kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection,LKTCallSetupExists,entNum , name,tfdid,entityID

0 Karma

rmuraly
Explorer

The problem was with

[| search index=entity_sum_1_2_ key=tcds_1_2_entity_feed | search [|inputlookup customer.csv | search [| search index="entitydata_1_2_" kpr=RKT_Call_Finished | rename source as Source | return Source] | rename Customer as customer | return customer]| rename entityName as name |fields entNum , name,tfdid,entityID]

I changed this up

[| search index=entity_sum_1_2_ key=tcds_1_2_entity_feed [| search index="entitydata_1_2_" kpr=RKT_Call_Finished | top 1 source | table source | join type=left source [|inputlookup customer.csv | rename Source as source | table source, Customer] | table source, Customer | rename Customer as customer | return customer] | fields entNum, name,tfdid, entityID]

I could obsorve having multiple return statements was slowing it down considerably and since I was planing to return only one value of source, I used top 1. This helped get speed up the execution and work as expected.

I still suspect if this is a permanent fix for this problem.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

What else does splunkd.log contain at the time you try to run the saved search?

0 Karma

rmuraly
Explorer

looks like the nested call to index="entitydata_1_2_" is causing the problem.

0 Karma

rmuraly
Explorer

09-18-2017 12:10:22.058 ERROR SearchResultsWriter - Unable to open output file: path=C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin_admin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9\prereport_f56df4781ac5a9c0_0.csv.gz.8529CBC9-78F7-4171-9F88-38D18C5A644D.tmp error=The system cannot find the path specified.
09-18-2017 12:10:22.066 ERROR SearchResults - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin
admin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9\prereport_f56df4781ac5a9c0_0.csv.gz'.
09-18-2017 12:10:22.066 ERROR SearchResults - Could not create line reader on file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin
admin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9\prereport_f56df4781ac5a9c0_0.csv.gz'.
09-18-2017 12:10:22.066 WARN SearchResults - Failed to open C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin
admin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9\prereport_f56df4781ac5a9c0_0.csv.gz
09-18-2017 12:10:22.066 ERROR SearchResults - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin
admin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9\prereport_f56df4781ac5a9c0_0.csv.gz'.
09-18-2017 12:10:22.067 INFO UserManager - Unwound user context: admin -> NULL
09-18-2017 12:10:22.068 ERROR DispatchThread - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin
admin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9\prereport_f56df4781ac5a9c0_0.csv.gz'.
09-18-2017 12:10:22.072 INFO UserManager - Setting user context: admin
09-18-2017 12:10:22.072 INFO UserManager - Done setting user context: NULL -> admin
09-18-2017 12:10:22.072 INFO UserManager - Unwound user context: admin -> NULL
09-18-2017 12:10:22.072 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='subsearch_subsearch_subsearch_admin
admin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9', username='admin')
09-18-2017 12:10:22.073 ERROR SearchProcessor - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin
admin_c2Ffbmdjc18xLjJfY2Rycw_RMD57115c6b7f387c523_at_1505761817_6840_1505761820.7_1505761820.8_1505761820.9\prereport_f56df4781ac5a9c0_0.csv.gz'.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...