Reporting

Scheduled report error -- Search process did not exit cleanly, exit_code=-1, description="exited with code -1"

agreer
New Member

When running the following manually there are no issues. But when this is scheduled the following error is noted and half the information is not present.

[subsearch]: [1spl-ind04-dc1] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.
[subsearch]: [1spl-ind04-dc2] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.

|inputlookup idstoroles.csv | where like (role_name,"%External User%") | join type=left user_id[search index=onelogin event_type_id=5 |eval mytime=strftime(_time, "%Y-%m-%d") |lookup idstoroles.csv user_id
|stats distinct_count(mytime) as "total logins" by role_name,user_name,user_id |where like(role_name, "%External User%")] | table username,user_name, firstname, lastname, user_id, "total logins" |outputlookup logins.csv

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.

Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.

index=onelogin event_type_id=5 
| eval mytime=strftime(_time, "%Y-%m-%d") 
| lookup idstoroles.csv user_id 
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id 
| where like(role_name, "%External User%")
| append [    | inputlookup idstoroles.csv 
              | where like (role_name,"%External User%") 
              | table role_name, user_name, user_id
              | eval logcount=0
         ]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id 

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.

Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.

index=onelogin event_type_id=5 
| eval mytime=strftime(_time, "%Y-%m-%d") 
| lookup idstoroles.csv user_id 
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id 
| where like(role_name, "%External User%")
| append [    | inputlookup idstoroles.csv 
              | where like (role_name,"%External User%") 
              | table role_name, user_name, user_id
              | eval logcount=0
         ]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id 
0 Karma

sbbadri
Motivator

@agreer,

can you please check first pipe symbol is present i.e., before inputlookup command in your scheduled search and report. sometime when do save as report option from search bar. pipe symbol will be missed.

0 Karma

agreer
New Member

The pipe is there. I have also seen other answers state this is due to permissions. I have had a super user create the same report with the same result.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...