Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrading Splunk from 6.4 to 6.5.1, why is the "search" command not working?

sivapuvvada
Path Finder
‎01-03-2017 03:40 PM

I have upgraded my Splunk version to 6.5.1 from 6.4. After this, I observed the "search" command is not working.
Is there any fix for this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sivapuvvada
Path Finder
‎01-05-2017 08:54 AM

I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .

Now the search command is working fine as expected without any issues .

Thank you for all your help guys .

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sivapuvvada
Path Finder
‎01-05-2017 08:54 AM

I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .

Now the search command is working fine as expected without any issues .

Thank you for all your help guys .

0 Karma
Reply
Solved! Jump to solution

noncon21
Engager
‎01-03-2017 05:46 PM

Sounds liked something I recently ran into after upgrading from 6.3 to 6.5.1. The fix was to clear cache and cookies in the browser and search took right off. However everything else with the exception of the search app was working for us, so given what you originally posted I am not sure if we're having the same issue. I worked mine out with support and apprantly this is a known bug that tends to happen when going through the upgrade process. Hope this helps.,

0 Karma
Reply
Solved! Jump to solution

sivapuvvada
Path Finder
‎01-04-2017 08:49 AM

I have used this query in the search :

index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status

Till here I am receiving the data but when i added search status=N it is not displaying any results .

I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎01-03-2017 04:26 PM

Hello. Are you saying all searches return nothing?

  1. if you are an admin you could look at $SPLUNK_HOME/var/log/splunk/splunkd.log for errors
  2. After your search.. pull down job -> inspect job. Did the job get distributed to indexers?
0 Karma
Reply
Solved! Jump to solution

sivapuvvada
Path Finder
‎01-04-2017 08:50 AM

I have used this query in the search :

index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status

Till here I am receiving the data but when i added search status=N it is not displaying any results .

I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌 Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...