Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How resolve the error "Search auto-canceled and DAG execution error"?

smaheshwarappaa
Loves-to-Learn
‎09-28-2021 12:46 AM

Hi Team,

When i m searching the  switch logs for last 7 days, i m gettting the error " Search auto-canceled and DAG execution error ". able to get last 15 or 60 mins logs, could you please suggest how can i resolve this issue. i m using 8.1.3 splunk enterprise version.

Thanks

Sridevi M

Labels (1)
Labels
Tags (2)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎02-18-2022 10:38 AM

Looks like Splunk offered a solution starting in 8.1.7 and 8.2.4

https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues
 

Searches are cancelled or time out when the user leaves the browser window or switches tabs.

Workaround:
In Splunk Enterprise 8.1.7, 8.2.4, and higher change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62.

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

Reply

Roy_9
Motivator
‎11-04-2021 04:08 PM

Please look at the  Advanced edit section of your saved search and make the below changes

dispatch.auto_cancel = <integer>
* Specifies the amount of inactive time, in seconds, after which the job
  is automatically canceled.
* 0 means to never auto-cancel the job.
* Default: 0  
dispatch.max_time = <integer> *

The maximum amount of time, in seconds, before finalizing the search. *

Default: 0

 

This should help fix the issue and this usually occurs when your SH uses all of the RAM.

If you are on Splunk cloud, also try to increase the disk space limit for your role

0 Karma
Reply

jgallien
Explorer
‎11-04-2021 04:12 PM

Autocancel is set to 0 already.  I've been down that path.  The search ends in a couple of seconds.  Any hints on any resource limits or splunk limits that might be able to be tweaked?  I'm headed down that path since I've been looking into this for over a week with no progress.

0 Karma
Reply

Roy_9
Motivator
‎11-04-2021 04:18 PM

if you are on splunk cloud, Can you give a try by changing the settings of the role by going through role -edit- resources- role search time window limit to infinite and disk space limit to 10000 MB and give a try.

0 Karma
Reply

jgallien
Explorer
‎11-04-2021 05:17 PM

It is not cloud, but Enterprise on-prem.  Interestingly, I was able to run the same searches on the CLI using a max event return of 50k and got results back no problem.  Wondering why the GUI would autocancel if the CLI can get the dispatch results no problem.

0 Karma
Reply

jgallien
Explorer
‎11-04-2021 03:46 PM

I'm having the same problem, not making any headway.  Have you checked your search.log in the inspector window?  Mine is showing a collector failure to write (before it calls the CANCEL), but can't figure out why.  Looking at the $SPLUNKHOME/var/log/*.log may be helpful.  I can see some errors there, but none have really led me to the answer.  It's almost like it is hitting a search limit and stopping.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...