Reporting

Encountering an error while I try to run my saved search

Explorer

My Splunk Version is 6.5.1 and I get this error while I try to run my saved search. Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearchsubsearchsubsearchadminadmin...\prereport84cf67ffc992ebfa0.csv.gz'.

When I try to copy the search into a new search window and try running it, it works fine. I am stuck on this issue from the last couple of days . Any help would be great.

My Saved search :
index="entitydata12*" ( kpr=RKTCallFinished OR kpr=LKTCallSetup OR kpr=MRDFCallSetup)
|foreach * [rex field=<> mode=sed "s/{|}//g"]
|eval SetupFinishTime = if (kpr="RKTCallFinished",creationDate , null)
|eval EntitiesAttempted =EntitiesCount
|transaction GlobalID maxspan=10000m
|eval InitialDirection=if (kpr="LKTCallSetup" ,InitialDirection,null)
|eval LKTCallSetupExists = if (kpr="LKTCallSetup" ,"YES","NO")
|fields kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection, LKTCallSetupExists,
|rename EntityNum as InitialEntityNum
|eval entNum = InitialEntityNum |join type=Left entNum [| search index=entitysum12* key=tcds12entityfeed | search [|inputlookup customer.csv | search [| search index="entitydata12*" kpr=RKTCall_Finished | rename source as Source | return Source] | rename Customer as customer | return customer]| rename entityName as name |fields entNum , name,tfdid,entityID]
| table kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection,LKTCallSetupExists,entNum , name,tfdid,entityID

0 Karma

Explorer

The problem was with

[| search index=entitysum12 key=tcds12entityfeed | search [|inputlookup customer.csv | search [| search index="entitydata12" kpr=RKTCall_Finished | rename source as Source | return Source] | rename Customer as customer | return customer]| rename entityName as name |fields entNum , name,tfdid,entityID]

I changed this up

[| search index=entitysum12 key=tcds12entityfeed [| search index="entitydata12" kpr=RKTCall_Finished | top 1 source | table source | join type=left source [|inputlookup customer.csv | rename Source as source | table source, Customer] | table source, Customer | rename Customer as customer | return customer] | fields entNum, name,tfdid, entityID]

I could obsorve having multiple return statements was slowing it down considerably and since I was planing to return only one value of source, I used top 1. This helped get speed up the execution and work as expected.

I still suspect if this is a permanent fix for this problem.

0 Karma

Splunk Employee
Splunk Employee

What else does splunkd.log contain at the time you try to run the saved search?

0 Karma

Explorer

looks like the nested call to index="entitydata12_" is causing the problem.

0 Karma

Explorer

09-18-2017 12:10:22.058 ERROR SearchResultsWriter - Unable to open output file: path=C:\Program Files\Splunk\var\run\splunk\dispatch\subsearchsubsearchsubsearchadminadminc2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9\prereportf56df4781ac5a9c00.csv.gz.8529CBC9-78F7-4171-9F88-38D18C5A644D.tmp error=The system cannot find the path specified.
09-18-2017 12:10:22.066 ERROR SearchResults - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearchsubsearchsubsearch_admin
adminc2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9\prereportf56df4781ac5a9c00.csv.gz'.
09-18-2017 12:10:22.066 ERROR SearchResults - Could not create line reader on file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch
subsearchsubsearchadminadmin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9\prereportf56df4781ac5a9c00.csv.gz'.
09-18-2017 12:10:22.066 WARN SearchResults - Failed to open C:\Program Files\Splunk\var\run\splunk\dispatch\subsearchsubsearchsubsearchadminadminc2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9\prereportf56df4781ac5a9c00.csv.gz
09-18-2017 12:10:22.066 ERROR SearchResults - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearchsubsearchsubsearch_admin
adminc2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9\prereportf56df4781ac5a9c00.csv.gz'.
09-18-2017 12:10:22.067 INFO UserManager - Unwound user context: admin -> NULL
09-18-2017 12:10:22.068 ERROR DispatchThread - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch
subsearchsubsearchadminadmin_c2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9\prereportf56df4781ac5a9c00.csv.gz'.
09-18-2017 12:10:22.072 INFO UserManager - Setting user context: admin
09-18-2017 12:10:22.072 INFO UserManager - Done setting user context: NULL -> admin
09-18-2017 12:10:22.072 INFO UserManager - Unwound user context: admin -> NULL
09-18-2017 12:10:22.072 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='subsearchsubsearchsubsearchadminadminc2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9', username='admin')
09-18-2017 12:10:22.073 ERROR SearchProcessor - Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearchsubsearchsubsearch_admin
adminc2Ffbmdjc18xLjJfY2RycwRMD57115c6b7f387c523at150576181768401505761820.71505761820.81505761820.9\prereportf56df4781ac5a9c0_0.csv.gz'.

0 Karma