Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how do I know if a search head restart did make my results incomplete?

MonkeyK
Builder
‎02-24-2018 09:28 AM

My admin team frequently needs restart our search heads while I have a long running query still running. When this happens, my search page shows the following message

Reading error while waiting for peer . This can be caused by the peer unexpectedly closing or resetting the connection. Search results might be incomplete! If the problem persists, confirm network connectivity between this instance and the peer, and review search.log and splunkd.log on the peer to check its activity.

The message notes that "results might be incomplete". Is there a way to tell if they actually are incomplete?

0 Karma
Reply

valiquet
Contributor
‎03-09-2018 02:24 AM

index=_internal sourcetype=scheduler OR sourcetype=splunkd user=youruser ... search for your search. Status should be completed or success

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 09:24 AM

That sounds like a task where the Network Datamodel from the Common Information Model might help, once your admins have accelerated it.

...and yes, frequent restarts because high availability sounds like we're missing a good chunk of the picture.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-24-2018 03:56 PM

That messages reads like an indexer (= search peer) was restarted, or at least connection was lost to it. If your search head was restarted, I'd expect the search job itself to stop.

That being said, I'd assume incorrect results.
The only scenario where the results would be complete is if that search peer was still searching for data when the connection was lost, but there was no more data to be found - unlikely.

I'd talk to the admin team about why they need restarts that frequently.
Additionally, many searches can be made to run faster through optimization. Feel free to ask a separate question with your search.

0 Karma
Reply

MonkeyK
Builder
‎02-25-2018 08:52 AM

Thanks Martin, I think that I have to trust my admin team on the needed frequency of restarts. They say that it is related to high availability, which seems counter intuitive to me since high-availability should mean that my queries run. So either I have to become an admin to counter the point, or accept the reasoning

Good idea on a separate question for my query. I suspect that it will just run long since it is summarizing billions of network traffic events. But always worth an ask.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...