Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The search job terminated unexpectedly.

priyanka_231019
Explorer
‎03-17-2021 02:53 AM

Splunk internal logs: INFO StreamedSearch - Streamed search connection terminated

 

Splunk search:

index=oswinsec source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| multireport
[| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-30d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ]
[| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker ]
| stats count

 

The search was working fine until today.

Kindly suggest.

Labels (1)
Labels
0 Karma
Reply

priyanka_231019
Explorer
‎03-17-2021 07:06 AM

I did some digging at my end. Apparently, some issue with the search query itself. This query was working fine. The multireport is somehow now causing search to terminate. If I run the query in two parts as below, it is fine.

index=oswinsec source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-30d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) 

 

 

index=oswinsec source="*WinEventLog:Security" action=success
| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-17-2021 06:50 AM

It's possible the search was cancelled because your role used up all of its allowed resources.  Check the search log.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...