Splunk Search

When trying to extract new field, why do I get "Error in 'SearchOperator:loadjob': ... cannot proxy an ad-hoc job in a searchhead cluster." error?

buchs
Explorer

While I am trying to extract a new field, I get this error

Error in 'SearchOperator:loadjob': The search artifact for job <UUID> is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.

I saw another q&a here on the same message, however, the context does not fit mine. I don't have a saved search that I am trying to run. I am just trying to get the extraction of a new field going. Any ideas?

I am a real newbie at Splunk, so I'm not entirely sure what some of the terms in the message mean. E.g.: "search artifact", "proxy", "searchhead cluster" and "locally".

Unfortunately, I'm not getting much help from my local Splunk admin.

Here are the steps I take to reproduce this error.

  1. Log into Splunk UI
  2. Select the App of interest
  3. Enter search query and run it.
  4. Events returned include text like: "... for gantry 97685 with..." and I would like to extract that gantry number.
  5. Scroll down on the list of fields on the left column, to "+ Extract New Fields" and select that.
  6. On the "Select Sample Event" page, I get the error: "Error in 'SearchOperator:loadjob': The search artifact for job '1488295624.4583_53B415AD-15ED-4195-82D1-C5B5DF38FCE3' is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally."

Other times, it goes beyond that point, so I can select the sample, then in select method I click the link for defining my own regular expression or I let Splunk try it, and I'll get the error as the next page. Other times, I've been able to go all the way to "Save" and get the error there.

rishimaths
Engager

Hi
I am getting error when runing machine learning apps and fields are not populating.

Can you please suggest solution?

Error: Error in 'SearchOperator:loadjob': The search artifact for job XXXXXXXXXXXXXXXXXXXX
is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.

rrthokala
New Member

Whats the fix for this?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Could you describe what steps you take before you see that message?

0 Karma

buchs
Explorer

I'll add that above.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you get this error without your field extraction search?

0 Karma

buchs
Explorer

Field extraction is the only time I can recall seeing it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My guess is that there is a saved search (guessing UUID is the name) which is using command loadjob and failing as the Search Head cluster (There are more than one Splunk UI servers where you login and run searches) did not replicate (the Search Head cluster members replicate search artifacts so that each artifact is available in all members and your experience is same on any node) the search artifact. You can ask your local Splunk admin to find and fix that saved search. Guess you may not be the only one with issue (if they are doing the similar steps).

0 Karma

buchs
Explorer

So, I'm new to Splunk. I have looked under Activities > Jobs, set the Owner field as All and I don't see much in the way of jobs there. There are about 6 jobs that look like general system maintenance, owned splunk-system-user, with titles "Bucket Copy Trigger" and "Total Ingested Daily Events". Do I look anywhere else to find saved searches? The jobs I found look to be daily jobs - I don't know how they are created. I am not sure how one creates jobs.

The hostname I use for the Splunk server maps to a load balancer with 2 IP addresses behind it. If what you are suggesting is the case, then I should see a difference when opening both those IP addresses?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The jobs are created when once run an adhoc search or a scheduled search (from Top Right options, Settings -> Searches, reports and alerts). I'm guessing you don't have admin privileges, you might not be able to investigate that either. Would suggest to take help from your admin. (basically we're looking for a search which uses something like this : | loadjob ... .)

gs
Engager

How can we resolve this issue?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...