Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

CLI search with FATAL: The search job terminated unexpectedly

vnguyen46
Contributor
‎06-11-2020 07:42 AM

Hello,

I try to export a large log with CLI search below. It works well with a smaller log return, but giving error on large logs, FATAL: The search job terminated unexpectedly.

For instance, this search on Pan_logs terminated:

/opt/splunk/bin/splunk search "index=pan_logs earliest=-7d" -preview 0 -maxout 0 -output rawdata | gzip > pan_logs_7days.gz

Anyone knows how to resolve this issue?

Thanks,

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnguyen46
Contributor
‎06-12-2020 06:02 AM

@twesty That's another idea.

For small log, I run CLI search directly on the SH: 

/opt/splunk/bin/splunk search "index=small_log earliest=-14d" -preview 0 -maxout 0 -output rawdata | gzip > small_log_14days.gz

I used dump for large logs by running this query on the SH homepage:

index=wineventlog | dump basefilename=WinEventLog rollsize=20000 compress=9 format=raw
the output file saved at this dir: /opt/splunk/var/run/splunk/dispatch/(sid)/dump/

Best,

View solution in original post

0 Karma
Reply
Solved! Jump to solution

twesty
Path Finder
‎06-11-2020 02:15 PM

I would suggest running the search in smaller batches. there are many reasons why you could have a failure however the likelihood is that the returning message is just too large to handle.

If you're looking for 7 days worth of data, run 7 separate queries over a day each and then stitch the output together outside of Slpu

0 Karma
Reply
Solved! Jump to solution
Solution

vnguyen46
Contributor
‎06-12-2020 06:02 AM

@twesty That's another idea.

For small log, I run CLI search directly on the SH: 

/opt/splunk/bin/splunk search "index=small_log earliest=-14d" -preview 0 -maxout 0 -output rawdata | gzip > small_log_14days.gz

I used dump for large logs by running this query on the SH homepage:

index=wineventlog | dump basefilename=WinEventLog rollsize=20000 compress=9 format=raw
the output file saved at this dir: /opt/splunk/var/run/splunk/dispatch/(sid)/dump/

Best,

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...