Sometimes my searches on Splunk Enterprise Security Search Head ran into following error (mostly) without any results, sometimes there are only a view results :
[idx1, idx4 ...] Streamed search execute failed because: Error in 'lookup' command: Failed to re-open lookup file: '/opt/splunk/var/run/searchpeers/splunksearchhead-1631016538/kvstore_s_SA-IdeRjww0FotymhlCIaS1cqkc05a_identix3UXVbINERGdyPwDBuI5US7E'.
Sometimes the searches work, somtimes they not. There is also a "normal" Splunk Search Head, the same search works all the time. If the error appears also the Incident Review needs about
I already checked the bundle size of both Search Heads and the ES bundle is about 800mb. The "normal" Search Head bundle is about 1,1gb.
Splunk Enterprise 8.2.1
Splunk Enterprise Security 6.6.0
Splunk Cluster with 2 sites, each site 8 idx.
I would greatly appreciate any help 🙂
@halu I'm getting the error and the searches are running and getting paused and resume after sometime we also upgraded to 8.2.3 recently, did you find any troubleshooting's to prevent this error.