Splunk Search

After upgrading to Splunk 6.1, I have searches returning no results, and a warning stating "Failed to start search on peer" What is this and how do I fix it?

jrodman
Splunk Employee
Splunk Employee

After upgrading to 6.1, searches fail to start. When running interactive searches from the search view, the event viewer shows "no results found" and a search warning under the "Jobs" icon appears, which upon closer inspection states "Failed to start search on peer '[peer_name]'."

Inspecting the search.log of the affected search shows the following errors just before the search process shuts down:

(...)
05-08-2014 02:02:52.892 INFO  SearchParser - PARSING: typer | tags
05-08-2014 02:02:52.908 ERROR SearchParser - Could not find macro 'ns_index' that takes 0 arguments. Expecting stanza name 'ns_index'.
05-08-2014 02:02:52.908 ERROR ProviderQueue - Error while creating result provider: Error in 'SearchParser': Could not find macro 'ns_index' that takes 0 arguments. Expecting stanza name 'ns_index'.
(...)

What is happening here? Why are searches failing? How can I fix this problem?

1 Solution

hexx
Splunk Employee
Splunk Employee

UPDATE: Maintenance release 6.1.1 has been made available to resolve this issue. If you are experiencing this problem, please update to Splunk Enterprise 6.1.1.




This problem is caused by the system-wide export by an app of eventtypes that reference one or more macros that are not exported. When searching from a different app, the eventtype is encountered but the macro it references cannot be expanded, which causes the search failure.

The appropriate behavior here would be a soft-fail: the search should continue and emit a warning about the eventtype that could not be evaluated.

This issue has been identified as bug SPL-83868, which is specific to Splunk 6.1 and will be promptly fixed in maintenance release 6.1.1.

In the meantime, you can use the following steps as a work-around:

  • Inspect the search.log of a failing search (check the peer's search.log if a distributed search) to identify the macro(s) that cannot be found

  • Inspect macros.conf using btool, locate the app(s) where the macro belongs. In our example, the ns_index macro is failing, so to find the app where it lives we run:


    $SPLUNK_HOME/bin/splunk cmd btool macros list ns_index --debug

  • Add the following stanza to the app's metadata/local.meta file to export the macro(s):


    [macros]
    export = system

  • Hit the following Splunk Web refresh endpoint or restart Splunk:


    http[s]://:/en-US/debug/refresh?entity=admin/macros




Note that the following apps have been found to trigger this bug by shipping macro-based eventtypes that are exported system-wide without exporting the macros they depend on:

View solution in original post

hexx
Splunk Employee
Splunk Employee

UPDATE: Maintenance release 6.1.1 has been made available to resolve this issue. If you are experiencing this problem, please update to Splunk Enterprise 6.1.1.




This problem is caused by the system-wide export by an app of eventtypes that reference one or more macros that are not exported. When searching from a different app, the eventtype is encountered but the macro it references cannot be expanded, which causes the search failure.

The appropriate behavior here would be a soft-fail: the search should continue and emit a warning about the eventtype that could not be evaluated.

This issue has been identified as bug SPL-83868, which is specific to Splunk 6.1 and will be promptly fixed in maintenance release 6.1.1.

In the meantime, you can use the following steps as a work-around:

  • Inspect the search.log of a failing search (check the peer's search.log if a distributed search) to identify the macro(s) that cannot be found

  • Inspect macros.conf using btool, locate the app(s) where the macro belongs. In our example, the ns_index macro is failing, so to find the app where it lives we run:


    $SPLUNK_HOME/bin/splunk cmd btool macros list ns_index --debug

  • Add the following stanza to the app's metadata/local.meta file to export the macro(s):


    [macros]
    export = system

  • Hit the following Splunk Web refresh endpoint or restart Splunk:


    http[s]://:/en-US/debug/refresh?entity=admin/macros




Note that the following apps have been found to trigger this bug by shipping macro-based eventtypes that are exported system-wide without exporting the macros they depend on:

araitz
Splunk Employee
Splunk Employee

Someone should fix that DHCP app...

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...