Splunk Search

Searches cancelled remotely or expired

tlabue
Path Finder

I am currently running Splunk Enterprise 6.5.2, though this problem has persisted in one of our instances for a bit.

Everytime a search is attempted, we immediately get the familiar messages that it was cancelled remotely.

I've read the other entries in Answers and none of the suggestions seemed to work.

We are running a single node instance and the server clock seems to be in order.

I have raised the value of ttl in the limits.conf, but to no avail:
[server]
ttl=1800

What else should I be looking for to get this issue resolved?

Thanks,
Tom

Tags (1)

mbadhusha_splun
Splunk Employee
Splunk Employee

This error means that the search artifact (the file package containing the search results) requested by Splunk Web could not be found in $SPLUNK_HOME/var/run/splunk/dispatch for the search that was just dispatched.

This problem commonly happens when the $SPLUNK_HOME/var/run/dispatch directory is hosted on a network device with a time setting behind the system clock of the operating system where splunkd is running.

What happens then is that the search artifacts are created in the dispatch directory with a modification time behind the system time known to splunkd.

Verify the time difference between your indexers/search head and check your system clocks and make sure they are all in sync. (Using NTP)

This is a known issue for some of the Splunk versions, and below is the workaround to fix this issue.

Under $SPLUNK_HOME/etc/system/local/limits.conf, add

[search]
min_settings_period = 60

Note: This is in seconds. Defaults to 1 second.

mic
Splunk Employee
Splunk Employee

I believe it's [search] stanza that would make it to work

$SPLUNK_HOME/etc/system/local/limits.conf
[search]
min_settings_period = 60

0 Karma

mbadhusha_splun
Splunk Employee
Splunk Employee

Thanks, mate. It was a typo.

0 Karma

vinkumar_splunk
Splunk Employee
Splunk Employee

It worked. thanks !!

0 Karma