Splunk IT Service Intelligence

Splunk IT Service Intelligence: Warning showing up after any search

New Member

Hi all,

Sometimes the following warning shows up after searching no matter what search I have done.

[subsearch]: Unknown error for indexer: Indexer_03. Search Results might be incomplete! If this occurs frequently, check on the peer. 

Does anyone have any idea about it? Thanks.

0 Karma

Esteemed Legend

Go to Settings -> Distributed search -> Search peers and see what that tells you.
Also get onto your Monitoring Console and run all of the Heath Checks and poke around on the Indexer dashboards.

0 Karma



You are getting this error always from the same peer i.e. Indexer_03 in your case OR this is varying with your searches ?
As this might happen that the searched data is corrupted on the primary buckets of this peer.

Also, are you running dashboards OR too many queries at once ? or this is happening with singular query as well.

See this post here, it might help you -

0 Karma


Can you mark as answer if your query is resolved by this OR let me know if you have further ask ?

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...