Splunk Search

Unable to save search history?

Path Finder

Hi there, we're seeing messages like the one below in splunkd.log on our search head (hostname TTNET-CH-SPSCH-1). We have about 50 users in our Splunk environment that authenticate via LDAP, and we seem to get a message like the one below every few minutes or so. This seems to happen for pretty much every user we have and across all kinds of searches.

Any idea what's going on here? The impact seems fairly minimal, eg. we just won't have a complete search history stored in Splunk? Still, any information you could provide would be useful. I have turned up debug logging on the DispatchSearch component but nothing is jumping out at me.

Let me know if you need anything else from me. An example snippet is below. Thanks for the help!

10-24-2013 06:56:13.661 -0500 ERROR SearchResults - Failed to remove "/opt/splunk/etc/users/<some_user>/search/history/TTNET-CH-SPSCH-1.ttnet.local.csv.tmp": No such file or directory
10-24-2013 06:56:13.663 -0500 WARN  DispatchSearch - Unable to save search history for user=<some_user>, app=search, sid=1382615771.5102, search='<some_search_here>'
0 Karma

Path Finder

This is apparently a known issue in Splunk 5.x. It's a harmless message according to Splunk support. Good enough for now...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...