Splunk Search

After upgrading Splunk from 6.4 to 6.5.1, why is the "search" command not working?

sivapuvvada
Path Finder

I have upgraded my Splunk version to 6.5.1 from 6.4. After this, I observed the "search" command is not working.
Is there any fix for this?

0 Karma
1 Solution

sivapuvvada
Path Finder

I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .

Now the search command is working fine as expected without any issues .

Thank you for all your help guys .

View solution in original post

0 Karma

sivapuvvada
Path Finder

I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .

Now the search command is working fine as expected without any issues .

Thank you for all your help guys .

0 Karma

noncon21
Engager

Sounds liked something I recently ran into after upgrading from 6.3 to 6.5.1. The fix was to clear cache and cookies in the browser and search took right off. However everything else with the exception of the search app was working for us, so given what you originally posted I am not sure if we're having the same issue. I worked mine out with support and apprantly this is a known bug that tends to happen when going through the upgrade process. Hope this helps.,

0 Karma

sivapuvvada
Path Finder

I have used this query in the search :

index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status

Till here I am receiving the data but when i added search status=N it is not displaying any results .

I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.

0 Karma

burwell
SplunkTrust
SplunkTrust

Hello. Are you saying all searches return nothing?

  1. if you are an admin you could look at $SPLUNK_HOME/var/log/splunk/splunkd.log for errors
  2. After your search.. pull down job -> inspect job. Did the job get distributed to indexers?
0 Karma

sivapuvvada
Path Finder

I have used this query in the search :

index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status

Till here I am receiving the data but when i added search status=N it is not displaying any results .

I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...