Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to save search history?

jerdmann
Path Finder
‎10-24-2013 09:46 AM

Hi there, we're seeing messages like the one below in splunkd.log on our search head (hostname TTNET-CH-SPSCH-1). We have about 50 users in our Splunk environment that authenticate via LDAP, and we seem to get a message like the one below every few minutes or so. This seems to happen for pretty much every user we have and across all kinds of searches.

Any idea what's going on here? The impact seems fairly minimal, eg. we just won't have a complete search history stored in Splunk? Still, any information you could provide would be useful. I have turned up debug logging on the DispatchSearch component but nothing is jumping out at me.

Let me know if you need anything else from me. An example snippet is below. Thanks for the help!

10-24-2013 06:56:13.661 -0500 ERROR SearchResults - Failed to remove "/opt/splunk/etc/users/<some_user>/search/history/TTNET-CH-SPSCH-1.ttnet.local.csv.tmp": No such file or directory
10-24-2013 06:56:13.663 -0500 WARN  DispatchSearch - Unable to save search history for user=<some_user>, app=search, sid=1382615771.5102, search='<some_search_here>'
0 Karma
Reply

jerdmann
Path Finder
‎01-07-2014 11:19 AM

This is apparently a known issue in Splunk 5.x. It's a harmless message according to Splunk support. Good enough for now...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...