Reporting

Scheduled report error -- Search process did not exit cleanly, exit_code=-1, description="exited with code -1"

agreer
New Member

When running the following manually there are no issues. But when this is scheduled the following error is noted and half the information is not present.

[subsearch]: [1spl-ind04-dc1] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.
[subsearch]: [1spl-ind04-dc2] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.

|inputlookup idstoroles.csv | where like (role_name,"%External User%") | join type=left user_id[search index=onelogin event_type_id=5 |eval mytime=strftime(_time, "%Y-%m-%d") |lookup idstoroles.csv user_id
|stats distinct_count(mytime) as "total logins" by role_name,user_name,user_id |where like(role_name, "%External User%")] | table username,user_name, firstname, lastname, user_id, "total logins" |outputlookup logins.csv

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.

Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.

index=onelogin event_type_id=5 
| eval mytime=strftime(_time, "%Y-%m-%d") 
| lookup idstoroles.csv user_id 
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id 
| where like(role_name, "%External User%")
| append [    | inputlookup idstoroles.csv 
              | where like (role_name,"%External User%") 
              | table role_name, user_name, user_id
              | eval logcount=0
         ]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id 

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.

Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.

index=onelogin event_type_id=5 
| eval mytime=strftime(_time, "%Y-%m-%d") 
| lookup idstoroles.csv user_id 
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id 
| where like(role_name, "%External User%")
| append [    | inputlookup idstoroles.csv 
              | where like (role_name,"%External User%") 
              | table role_name, user_name, user_id
              | eval logcount=0
         ]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id 
0 Karma

sbbadri
Motivator

@agreer,

can you please check first pipe symbol is present i.e., before inputlookup command in your scheduled search and report. sometime when do save as report option from search bar. pipe symbol will be missed.

0 Karma

agreer
New Member

The pipe is there. I have also seen other answers state this is due to permissions. I have had a super user create the same report with the same result.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...