Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- After upgrading Splunk from 6.4 to 6.5.1, why is t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have upgraded my Splunk version to 6.5.1 from 6.4. After this, I observed the "search" command is not working.
Is there any fix for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .
Now the search command is working fine as expected without any issues .
Thank you for all your help guys .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the issue , this is due to query which i have used .. In my query have renamed the field to existing field .
I have removed the rename command from the query as those fields are already extracted by Splunk .
Now the search command is working fine as expected without any issues .
Thank you for all your help guys .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds liked something I recently ran into after upgrading from 6.3 to 6.5.1. The fix was to clear cache and cookies in the browser and search took right off. However everything else with the exception of the search app was working for us, so given what you originally posted I am not sure if we're having the same issue. I worked mine out with support and apprantly this is a known bug that tends to happen when going through the upgrade process. Hope this helps.,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have used this query in the search :
index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status
Till here I am receiving the data but when i added search status=N it is not displaying any results .
I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. Are you saying all searches return nothing?
- if you are an admin you could look at $SPLUNK_HOME/var/log/splunk/splunkd.log for errors
- After your search.. pull down job -> inspect job. Did the job get distributed to indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have used this query in the search :
index=* sourcetype=* | spath input=test | rename test{}.messaging{}.status as status,test{}.messaging{}.cap_status as cap_status
Till here I am receiving the data but when i added search status=N it is not displaying any results .
I am seeing below error in the search.log :
SearchResultParserExecutor - Encountered an error deserializing SearchResultsInfo from ResultsStream header.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
