Re: Searches cancelled remotely or expired

tlabue · ‎02-14-2017

I am currently running Splunk Enterprise 6.5.2, though this problem has persisted in one of our instances for a bit.

Everytime a search is attempted, we immediately get the familiar messages that it was cancelled remotely.

I've read the other entries in Answers and none of the suggestions seemed to work.

We are running a single node instance and the server clock seems to be in order.

I have raised the value of ttl in the limits.conf, but to no avail:
[server]
ttl=1800

What else should I be looking for to get this issue resolved?

Thanks,
Tom

mbadhusha_splun · ‎10-03-2018

This error means that the search artifact (the file package containing the search results) requested by Splunk Web could not be found in $SPLUNK_HOME/var/run/splunk/dispatch for the search that was just dispatched.

This problem commonly happens when the $SPLUNK_HOME/var/run/dispatch directory is hosted on a network device with a time setting behind the system clock of the operating system where splunkd is running.

What happens then is that the search artifacts are created in the dispatch directory with a modification time behind the system time known to splunkd.

Verify the time difference between your indexers/search head and check your system clocks and make sure they are all in sync. (Using NTP)

This is a known issue for some of the Splunk versions, and below is the workaround to fix this issue.

Under $SPLUNK_HOME/etc/system/local/limits.conf, add

[search]
min_settings_period = 60

Note: This is in seconds. Defaults to 1 second.

mic · ‎10-30-2018

I believe it's [search] stanza that would make it to work

$SPLUNK_HOME/etc/system/local/limits.conf
[search]
min_settings_period = 60

mbadhusha_splun · ‎10-31-2018

Thanks, mate. It was a typo.

vinkumar_splunk · ‎10-09-2018

It worked. thanks !!

Searches cancelled remotely or expired

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!