Splunk IT Service Intelligence: Warning showing up...

zhangxq20 · ‎06-20-2019

Hi all,

Sometimes the following warning shows up after searching no matter what search I have done.

[subsearch]: Unknown error for indexer: Indexer_03. Search Results might be incomplete! If this occurs frequently, check on the peer.

Does anyone have any idea about it? Thanks.

woodcock · ‎06-21-2019

Go to Settings -> Distributed search -> Search peers and see what that tells you.
Also get onto your Monitoring Console and run all of the Heath Checks and poke around on the Indexer dashboards.

amitm05 · ‎06-20-2019

@zhangxq20

You are getting this error always from the same peer i.e. Indexer_03 in your case OR this is varying with your searches ?
As this might happen that the searched data is corrupted on the primary buckets of this peer.

Also, are you running dashboards OR too many queries at once ? or this is happening with singular query as well.

See this post here, it might help you -
https://answers.splunk.com/answers/506621/unknown-error-for-peer-xxx-search-results-might-be.html

amitm05 · ‎06-21-2019

Can you mark as answer if your query is resolved by this OR let me know if you have further ask ?

Splunk IT Service Intelligence: Warning showing up after any search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms