Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- StreamedSearch - Streamed search connection termin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
StreamedSearch - Streamed search connection terminated
Getting this in internal logs "StreamedSearch - Streamed search connection terminated". What does this mean?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These errors are due to the automatic key value pair extraction that Splunk is doing.
For instance, take a look at the following entry log. I have highlighted the issues, which is a bit of pain so I wonder if Splunk can do something about it in order to avoid unnecessary worrying:
02-22-2016 13:49:38.722 +0000 INFO StreamedSearch - Streamed search connection terminated: search_id=remote_myserver_1456148978.13, server=myserver, active_searches=0, elapsedTime=0.082, search='litsearch index=internal log_level=ERROR _time>=1456148678.000 | addinfo type=count label=prereport_events | fields keepcolorder=t "host" "message" "prestats_reserved" "psrsvd_" | prestats count by host message', savedsearch_name=""
This log is just telling me the search has now terminated. The log_level=ERROR means i was searching for these type of errors before, but the actual event is an INFO one.
Hope that helps.
Update:
Forgot to mention you can get rid of these events when searching for errors in your internal logs by doing something like:
index=_internal log_level=ERROR NOT ("log_level=ERROR" StreamedSearch litsearch)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also see these in Splunk internal logs and while the phrasing sounds like an error it is listed as INFO. if you search you will also find a corresponding "StreamedSearch - Streamed search search starting" INFO message a little earlier. It appears that these entries are just logging the start and finish of a search and not indicative of any error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ditto. Have an alert that didnt trigger. From what I can see it shows that same error.
04-16-2015 13:55:19.512 -0700 INFO StreamedSearch - Streamed search connection terminated: search_id=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, we have these too ... what does it mean?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
