Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

in splunkd.log a lot of warnings : DispatchCommand - could not read metadata file

imrago
Contributor
‎04-13-2010 12:18 AM

In my splunkd.log (v4.1) I have a lot of warnings like these :

04-13-2010 00:05:19.676 WARN  DispatchCommand - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/1271116501.1/metadata.csv
04-13-2010 00:05:19.677 WARN  DispatchCommand - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/1271116742.1/metadata.csv
04-13-2010 00:13:50.395 WARN  DispatchCommand - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/1271117581.1/metadata.csv
04-13-2010 00:13:50.395 WARN  DispatchCommand - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/1271117162.1/metadata.csv

What could be the reason for these warnings?

Reply
1 Solution
Solved! Jump to solution
Solution

imrago
Contributor
‎04-15-2010 06:40 AM

Finally I have found the underlaying problem. From the cron the searches in splunk where executed as root user, and the owner of those files in /opt/splunk/var/run/splunk/dispatch/.... was root, which in turn caused the error messages in previous post.

Changed in cron root to splunk and the errors disappeared.

View solution in original post

Reply
Solved! Jump to solution

fleXible
Explorer
‎08-14-2016 01:29 AM

I found a solution to my specific breed of the problem. After toying around with the Splunk_SA_CIM and SplunkAppForWebAnalytics, which both define the Web datamodel, my log quickly filled with these messages:

08-14-2016 09:40:58.919 +0200 WARN  DispatchSearchMetadata - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/scheduler__nobody__SplunkAppForWebAnalytics__RMD5cd22bc27c7bb1b18_at_1471146000_98/metadata.csv
08-14-2016 09:40:58.919 +0200 WARN  DispatchSearchMetadata - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/scheduler__nobody__SplunkAppForWebAnalytics__RMD56b5a72de0a2a981e_at_1471146000_97/metadata.csv
08-14-2016 09:41:28.922 +0200 WARN  DispatchSearchMetadata - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/scheduler__nobody__SplunkAppForWebAnalytics__RMD5cd22bc27c7bb1b18_at_1471146000_98/metadata.csv
08-14-2016 09:41:28.923 +0200 WARN  DispatchSearchMetadata - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/scheduler__nobody__SplunkAppForWebAnalytics__RMD56b5a72de0a2a981e_at_1471146000_97/metadata.csv
08-14-2016 09:41:58.918 +0200 WARN  DispatchSearchMetadata - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/scheduler__nobody__SplunkAppForWebAnalytics__RMD5cd22bc27c7bb1b18_at_1471146000_98/metadata.csv
08-14-2016 09:41:58.918 +0200 WARN  DispatchSearchMetadata - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/scheduler__nobody__SplunkAppForWebAnalytics__RMD56b5a72de0a2a981e_at_1471146000_97/metadata.csv

The reason for this error message in my special case was, by often restarting the splunk service, it was unable to finish correctly writing out the dispatch data and just left corrupt (empty) files there instead.

ll scheduler__nobody__SplunkAppForWebAnalytics__RMD56b5a72de0a2a981e_at_1471146000_97/
total 36K
prw------- 1 root root    0 Aug 14 05:40 alive.token|
-rw------- 1 root root    0 Aug 14 05:40 args.txt
-rw------- 1 root root    0 Aug 14 05:53 audited
-rw------- 1 root root  28K Aug 14 05:40 info.csv
-rw------- 1 root root    0 Aug 14 05:40 metadata.csv
-rw------- 1 root root    0 Aug 14 05:40 peers.csv
-rw------- 1 root root    0 Aug 14 05:40 pipeline_sets
-rw------- 1 root root    0 Aug 14 05:40 request.csv
-rw------- 1 root root    0 Aug 14 05:40 search.log
-rw------- 1 root root 6.8K Aug 14 05:40 status.csv

After removing the corrupt directories, the error messages went away with them.

Reply
Solved! Jump to solution

Mick
Splunk Employee
Splunk Employee
‎06-22-2010 03:49 PM

This is one explanation, another is that there is a known bug in 4.1.2 & 4.1.3 where Splunk tries to access a results file before it is actually created. It's not really anything to be concerned about, unless you're actually noticing a problem with loading search results or accessing saved results objects.

It will be resolved in an upcoming release

Reply
Solved! Jump to solution
Solution

imrago
Contributor
‎04-15-2010 06:40 AM

Finally I have found the underlaying problem. From the cron the searches in splunk where executed as root user, and the owner of those files in /opt/splunk/var/run/splunk/dispatch/.... was root, which in turn caused the error messages in previous post.

Changed in cron root to splunk and the errors disappeared.

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...