New install- why doesn't search work?

skrampachspl · ‎01-31-2023

I have installed my first splunk enterprise on a linux server and installed forwarders on windows workstations using the ports as instructed. Firewall is off and selinux off. The forwarders are calling in.

Now perhaps I am missing something in that in splunk, I select search and enter * (or index=anything, there is a long list) and the error is;

The transform ca_pam_login_auth_action_success is invalid. Its regex has no capturing groups, but its FORMAT has capturing group references.

I tried another search, and saw another error;
Error in "litsearch" command: Your splunk license expired (the license is new) or you have exceeded your license limit too many times. Renew your splunk license by visiting www.splunk/com/store or calling 866-GET-SPLUNK.
The search job failed due to an error. You may be able to view the job in the job inspector.

All I want is to understand why FORMAT has capturing group references, but the regex does not and to turn my paperweight into a thriving reporting tool.

Can anyone help? Thank you!

PickleRick · ‎02-01-2023

"The transform ca_pam_login_auth_action_success is invalid. Its regex has no capturing groups, but its FORMAT has capturing group references". If I remember correctly, that should be a warning, not error. Which means that on its own it would not break the search completely, it just might just not extract some fields correctly (and might not find events if your search relied on those fields).

The second error means that your license expired. There might be several reasons (depending on the license type and license usage). You can go to Settings -> License to check your license usage and split it by sources and indexes.

gcusello · ‎01-31-2023

Hi @skrampachspl,

the main problem is that you're using a Free license that permits to index until 500 MB/day.

If you exceed this value for three or more days you're in license violation so searches are blocked.

You have two choices:

ask to your Splunk reference Sales Specialist an unlock license,
completely delete your installation and reinstall all.

Ciao.

Giuseppe

skrampachspl · ‎02-06-2023

Actually, the license being used is not the free one as my company paid $xx k for licensing. Itis odd as I am not a "premier member" after shelling out that much cash.

PickleRick · ‎02-07-2023

As I wrote before - you paid for the license but have you installed the license properly? Do your components properly communicate with license master (if you have a distributed setup)? Did you check your license usage?

HassanMb · ‎02-28-2024

The TA that generates this transforms seems to break searches after running into this error. We have to remove the CA Privileged Access Manager (PAM) Add-on for Splunk TA and restart Splunk to fix this issue. Your issue with search may be related to the TA.,

PickleRick · ‎02-29-2024

Well, no.

While the addon might contain some faulty definitions, it won't prevent the environment from searching in general and cause licensing warning.

isoutamo · ‎02-29-2024

Just look from _internal index have your peer connection to LM or have it license installed locally.

HassanMb · ‎02-29-2024

We noticed this TA error issue on Splunk Cloud as soon as this TA was installed. So there is no license issue in our environment. A quick test is to install this TA in a valid licensed environment and see it break search. The OP may have had a coincidental License error.

New install- why doesn't search work?

regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!