While I am trying to extract a new field, I get this error
Error in 'SearchOperator:loadjob': The search artifact for job <UUID> is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.
I saw another q&a here on the same message, however, the context does not fit mine. I don't have a saved search that I am trying to run. I am just trying to get the extraction of a new field going. Any ideas?
I am a real newbie at Splunk, so I'm not entirely sure what some of the terms in the message mean. E.g.: "search artifact", "proxy", "searchhead cluster" and "locally".
Unfortunately, I'm not getting much help from my local Splunk admin.
Here are the steps I take to reproduce this error.
Other times, it goes beyond that point, so I can select the sample, then in select method I click the link for defining my own regular expression or I let Splunk try it, and I'll get the error as the next page. Other times, I've been able to go all the way to "Save" and get the error there.
Hi
I am getting error when runing machine learning apps and fields are not populating.
Can you please suggest solution?
Error: Error in 'SearchOperator:loadjob': The search artifact for job XXXXXXXXXXXXXXXXXXXX
is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.
Whats the fix for this?
Could you describe what steps you take before you see that message?
I'll add that above.
Do you get this error without your field extraction search?
Field extraction is the only time I can recall seeing it.
My guess is that there is a saved search (guessing UUID is the name) which is using command loadjob and failing as the Search Head cluster (There are more than one Splunk UI servers where you login and run searches) did not replicate (the Search Head cluster members replicate search artifacts so that each artifact is available in all members and your experience is same on any node) the search artifact. You can ask your local Splunk admin to find and fix that saved search. Guess you may not be the only one with issue (if they are doing the similar steps).
So, I'm new to Splunk. I have looked under Activities > Jobs, set the Owner field as All and I don't see much in the way of jobs there. There are about 6 jobs that look like general system maintenance, owned splunk-system-user, with titles "Bucket Copy Trigger" and "Total Ingested Daily Events". Do I look anywhere else to find saved searches? The jobs I found look to be daily jobs - I don't know how they are created. I am not sure how one creates jobs.
The hostname I use for the Splunk server maps to a load balancer with 2 IP addresses behind it. If what you are suggesting is the case, then I should see a difference when opening both those IP addresses?
The jobs are created when once run an adhoc search or a scheduled search (from Top Right options, Settings -> Searches, reports and alerts). I'm guessing you don't have admin privileges, you might not be able to investigate that either. Would suggest to take help from your admin. (basically we're looking for a search which uses something like this : | loadjob ...
.)
How can we resolve this issue?