- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: StreamedSearch - Streamed search connection te...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
StreamedSearch - Streamed search connection terminated
Getting this in internal logs "StreamedSearch - Streamed search connection terminated". What does this mean?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These errors are due to the automatic key value pair extraction that Splunk is doing.
For instance, take a look at the following entry log. I have highlighted the issues, which is a bit of pain so I wonder if Splunk can do something about it in order to avoid unnecessary worrying:
02-22-2016 13:49:38.722 +0000 INFO StreamedSearch - Streamed search connection terminated: search_id=remote_myserver_1456148978.13, server=myserver, active_searches=0, elapsedTime=0.082, search='litsearch index=internal log_level=ERROR _time>=1456148678.000 | addinfo type=count label=prereport_events | fields keepcolorder=t "host" "message" "prestats_reserved" "psrsvd_" | prestats count by host message', savedsearch_name=""
This log is just telling me the search has now terminated. The log_level=ERROR means i was searching for these type of errors before, but the actual event is an INFO one.
Hope that helps.
Update:
Forgot to mention you can get rid of these events when searching for errors in your internal logs by doing something like:
index=_internal log_level=ERROR NOT ("log_level=ERROR" StreamedSearch litsearch)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also see these in Splunk internal logs and while the phrasing sounds like an error it is listed as INFO. if you search you will also find a corresponding "StreamedSearch - Streamed search search starting" INFO message a little earlier. It appears that these entries are just logging the start and finish of a search and not indicative of any error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ditto. Have an alert that didnt trigger. From what I can see it shows that same error.
04-16-2015 13:55:19.512 -0700 INFO StreamedSearch - Streamed search connection terminated: search_id=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, we have these too ... what does it mean?
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
