Re: Problem with a query

havatz · ‎10-04-2020

Hi

Need you help please with a query;

"| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attacks.date) as \"day_count\",count from datamodel=Malware.Malware_Attacks   by \"Malware_Attacks.dest\",\"Malware_Attacks.signature\" | rename \"Malware_Attacks.dest\" as \"dest\",\"Malware_Attacks.signature\" as \"signature\" | search dest=\"10.0.0.0/8\" OR dest=\"192.168.0.0/15\" OR dest=\"172.16.0.0/12\"\n| where 'day_count'>3"

I got an errors:

"type": "ERROR",
"text": "[idx-indexname.splunkcloud.com] The search process with search_id=\"remote_sh-i-idx-indexname.splunkcloud.com_1\" may have returned partial results. Try running your search again. If you see this error repeatedly, review search.log for details or contact your Splunk administrator."

How can I fix that?

thanks

ololdach · ‎10-04-2020

Hi, when my searches fail or show errors I always open the Job Inspector. In the Inspector popup window, there is another link to the search.log that gives you some very detailed information. Another way to see more info about your errors is to open a plain search window and do a search like:

index=_internal error

Oliver

Richfez · ‎10-04-2020

Well. I assume you have tried running it again and that it still fails?

This is usually caused by some sort of environmental problem. Check your indexer cluster's status

https://docs.splunk.com/Documentation/Splunk/8.0.6/DistSearch/Viewsearchpeers

And ... resolve as required.

If you don't see problems over all the things, then it could just be a 'datamodel gone wild' so you could try rebuilding your Malware datamodel.

Also, you could check with your Splunk administrator and see what they say.

Happy Splunking!

-Rich

Problem with a query

correlation search

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...