Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Broken Host Lookup gen searches are getting skipped.

kartik
Observer
‎09-20-2024 07:59 AM

Hi Team,

We're getting skipped search alerts for all 3  Lookup Gen searches. How we can resolve this?

Even though after disabling those searches we are still getting error for these searches.

Your assistance is greatly appreciated.

Lookup Gen - bh_sourcetype_cachebroken_hostsRelation '' is unknown. (2)none2
Lookup Gen - bh_host_cachebroken_hostsRelation '' is unknown. (2)none2
Lookup Gen - bh_index_cachebroken_hostsRelation '' is unknown. (2)none
Labels (1)
Labels
0 Karma
Reply

rj_jacobevans
Engager
‎10-21-2024 10:54 AM

I am seeing the same thing with a fresh install of v5.0.1 in Splunk Cloud.

Splunk Cloud

Version: 9.2.2403.109

Build: acf4711b7529

 

10-21-2024 16:07:58.193 +0000 INFO  SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_host_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_host_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729526878, window_time=-1, skipped_count=11, filtered_count=0
10-21-2024 12:52:14.196 +0000 INFO  SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_sourcetype_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_sourcetype_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729515134, window_time=-1, skipped_count=10, filtered_count=0
10-21-2024 12:26:30.121 +0000 INFO  SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_index_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_index_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729513590, window_time=-1, skipped_count=10, filtered_count=0

 

 

 Looking at the savedsearches.conf that comes with this version of the app and comparing to the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf), each of these three searches defines "counttype = number of events" but does not define "quantity" or relation.

To fix this in Splunk Enterprise, just remove the config "counttype = number of events" for each search directly in default/savedsearches.conf.

To fix in Splunk Cloud, click Edit > Advanced Edit on each search and change "alert_type" from "number of events" to empty. Keep in mind that the app will need to be completely uninstalled and reinstalled when this is fixed to remove the /local/ versions of the searches.

Cheers,
Jacob

---

If this reply helps you, Karma would be appreciated.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2024 08:16 AM

Usually, a search is skipped because of external factors (no resources), but a search will be skipped if it contains an error or if it's already/still running.  The Monitoring Console or CMC will tell the reason for the skips in the Scheduler Activity dashboard.  Fix the reason and the skips should stop.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kartik
Observer
‎09-20-2024 08:41 AM

these searches are showing the reason as "Relation '' is unknown. (2)" . Here I'm unsure what action that i need to perform here.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2024 08:58 AM

That reason is new to me.  The app is supported by the developer.  Their contact info is on the splunkbase page.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...