Splunk Enterprise Security

Internal Log Errors - copyresults

SplunkFu
Path Finder

Hi there,

I was just looking through our splunkd logs, and I notice multiple errors for the following:

<dateTime> ERROR SearchOperator:copyresults - You must provide a search id.

I couldn't really find much on splunkbase, so I turned up the logging for the copyresults command, and I can now see the following as an example:

INFO  SearchOperator:copyresults - mapped lookup name=system_uptime_tracker to fn=C:\Program Files\Splunk\etc\apps/SA-EndpointProtection/lookups/system_uptime_tracker.csv

INFO  SearchOperator:copyresults - copy results.csv.gz to C:\Program Files\Splunk\etc\apps\SA-EndpointProtection\lookups\system_uptime_tracker.csv, success=1

INFO  ExecProcessor - Ran script: python "C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\bin\notable_owners.py", took 2168.4 milliseconds to run, 0 bytes read

ERROR SearchOperator:copyresults - You must provide a search id.

ERROR SearchOperator:copyresults - You must provide a search id.

Does anyone have any thoughts on this? I am seeing the events for other apps as well.

Thanks in advance,

SplunkFu

1 Solution

LukeMurphey
Champion

I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.

View solution in original post

tskinnerivsec
Contributor

I just upgraded to splunk 5.0.3 and I do have one instance of this error with a time stamp of 10 minutes ago and I performed the upgrade well over an hour ago. I'll chase it down, but I wouldn't say the issue is resolved with the most recent upgrade.

0 Karma

LukeMurphey
Champion

What version of ES and Splunk you are on?

0 Karma

LukeMurphey
Champion

I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.

View solution in original post

SplunkFu
Path Finder

Thanks, for the response.

We are planning our upgrade at the moment, so I will this to the back of my mind.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!