Getting this in internal logs "StreamedSearch - Streamed search connection terminated". What does this mean?
These errors are due to the automatic key value pair extraction that Splunk is doing.
For instance, take a look at the following entry log. I have highlighted the issues, which is a bit of pain so I wonder if Splunk can do something about it in order to avoid unnecessary worrying:
02-22-2016 13:49:38.722 +0000 INFO StreamedSearch - Streamed search connection terminated: search_id=remote_myserver_1456148978.13, server=myserver, active_searches=0, elapsedTime=0.082, search='litsearch index=internal log_level=ERROR _time>=1456148678.000 | addinfo type=count label=prereport_events | fields keepcolorder=t "host" "message" "prestats_reserved" "psrsvd_" | prestats count by host message', savedsearch_name=""
This log is just telling me the search has now terminated. The log_level=ERROR means i was searching for these type of errors before, but the actual event is an INFO one.
Hope that helps.
Update:
Forgot to mention you can get rid of these events when searching for errors in your internal logs by doing something like:
index=_internal log_level=ERROR NOT ("log_level=ERROR" StreamedSearch litsearch)
I also see these in Splunk internal logs and while the phrasing sounds like an error it is listed as INFO. if you search you will also find a corresponding "StreamedSearch - Streamed search search starting" INFO message a little earlier. It appears that these entries are just logging the start and finish of a search and not indicative of any error.
Ditto. Have an alert that didnt trigger. From what I can see it shows that same error.
04-16-2015 13:55:19.512 -0700 INFO StreamedSearch - Streamed search connection terminated: search_id=
yes, we have these too ... what does it mean?