Re: Error message above search bar

bsantosh · ‎10-10-2018

Hi All,

When I am executing a search query something like "index=index1", I am getting the below error message above my search bar. I am still above fetch the results.

I have set the search mode to Verbose mode.

"! Some events cannot be displayed because they cannot be fetched from the remote search peer(s). This is likely caused by the natural expiration of the related remote search jobs. To view the omitted events, run the search again."

thanks,
Santosh

abeeber_3 · ‎10-25-2018

Have you checked your disk capacity on your SH?

I had a situation where a user reported a similar problem with one of his searches.

At the same time another user had submitted a number of searches that got stuck in the dispatch folder and ended up maxing out the disk space on the Search Server.

Once cleared, the other user's search ran as expected with out generated the error above.

richgalloway · ‎10-11-2018

Have you checked the connectivity to your indexers?

---
If this reply helps you, Karma would be appreciated.

bsantosh · ‎10-16-2018

Hi Richgalloway, thanks for your reply. I checked the connectivity with indexers and they look good.
Sorry for late reply.

Error message above search bar

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?