Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Scheduled report error -- Search process did not exit cleanly, exit_code=-1, description="exited with code -1"

agreer
New Member
‎10-09-2017 09:19 AM

When running the following manually there are no issues. But when this is scheduled the following error is noted and half the information is not present.

[subsearch]: [1spl-ind04-dc1] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.
[subsearch]: [1spl-ind04-dc2] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.

|inputlookup idstoroles.csv | where like (role_name,"%External User%") | join type=left user_id[search index=onelogin event_type_id=5 |eval mytime=strftime(_time, "%Y-%m-%d") |lookup idstoroles.csv user_id
|stats distinct_count(mytime) as "total logins" by role_name,user_name,user_id |where like(role_name, "%External User%")] | table username,user_name, firstname, lastname, user_id, "total logins" |outputlookup logins.csv

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-10-2017 07:21 AM

Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.

Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.

index=onelogin event_type_id=5 
| eval mytime=strftime(_time, "%Y-%m-%d") 
| lookup idstoroles.csv user_id 
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id 
| where like(role_name, "%External User%")
| append [    | inputlookup idstoroles.csv 
              | where like (role_name,"%External User%") 
              | table role_name, user_name, user_id
              | eval logcount=0
         ]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-10-2017 07:21 AM

Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.

Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.

index=onelogin event_type_id=5 
| eval mytime=strftime(_time, "%Y-%m-%d") 
| lookup idstoroles.csv user_id 
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id 
| where like(role_name, "%External User%")
| append [    | inputlookup idstoroles.csv 
              | where like (role_name,"%External User%") 
              | table role_name, user_name, user_id
              | eval logcount=0
         ]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id
0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎10-09-2017 12:40 PM

@agreer,

can you please check first pipe symbol is present i.e., before inputlookup command in your scheduled search and report. sometime when do save as report option from search bar. pipe symbol will be missed.

0 Karma
Reply
Solved! Jump to solution

agreer
New Member
‎10-09-2017 12:59 PM

The pipe is there. I have also seen other answers state this is due to permissions. I have had a super user create the same report with the same result.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...