Reporting

PROCESS Search error message

peter_gianusso
Communicator

This erro?r in Splunk 6 is on the indexer.

ERROR ProcessDispatchedSearch - PROCESS_SEARCH - Error opening "C:\Program Files\Splunk\var\run\splunk\dispatch\scheduler__nobody_SUxJX0ltYWdpbmdfQXBw__RMD539773f0726cc8328_at_1382734800_49\search.log": The operation completed successfully.

Seems to have stopped searches and/or forwarder connectivity.

Any ideas?

Tags (2)

aelliott
Motivator

Make sure that the permissions of var/run and var/spool (and all their children) are correct. We found that ours had no permissions and adding these permissions fixed this issue, but not for all new search logs, they are created with no permissions and I think this is the issue. No knowing what causes this.

We found this to be an issue with our anti-virus locking files as they were created in the directories:
If this solves your problem, feel free to vote up sciurus post.
http://answers.splunk.com/answers/113539/error-spamming-splunkdlog-error-process_search

0 Karma

ashabc
Contributor

I had similar error messages. In my case it sopped indexing incoming data.

It disappeared when I started sending log files in zipped format from source (in my case ironport proxy appliance) rather than plain text and it resolved my issue.

May be the size of the log files are too big. You may try to send data to Splunk more frequent. Not sure.

0 Karma

peter_gianusso
Communicator

thanks for the suggestion but zipping up files is not an option

0 Karma

peter_gianusso
Communicator

I do not have DBConnect installed

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...