Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Internal Log Errors - copyresults

SplunkFu
Path Finder
‎04-11-2013 06:57 AM

Hi there,

I was just looking through our splunkd logs, and I notice multiple errors for the following:

<dateTime> ERROR SearchOperator:copyresults - You must provide a search id.

I couldn't really find much on splunkbase, so I turned up the logging for the copyresults command, and I can now see the following as an example:

INFO  SearchOperator:copyresults - mapped lookup name=system_uptime_tracker to fn=C:\Program Files\Splunk\etc\apps/SA-EndpointProtection/lookups/system_uptime_tracker.csv

INFO  SearchOperator:copyresults - copy results.csv.gz to C:\Program Files\Splunk\etc\apps\SA-EndpointProtection\lookups\system_uptime_tracker.csv, success=1

INFO  ExecProcessor - Ran script: python "C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\bin\notable_owners.py", took 2168.4 milliseconds to run, 0 bytes read

ERROR SearchOperator:copyresults - You must provide a search id.

ERROR SearchOperator:copyresults - You must provide a search id.

Does anyone have any thoughts on this? I am seeing the events for other apps as well.

Thanks in advance,

SplunkFu

Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎04-11-2013 02:14 PM

I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.

View solution in original post

Reply
Solved! Jump to solution

tskinnerivsec
Contributor
‎06-25-2013 04:01 PM

I just upgraded to splunk 5.0.3 and I do have one instance of this error with a time stamp of 10 minutes ago and I performed the upgrade well over an hour ago. I'll chase it down, but I wouldn't say the issue is resolved with the most recent upgrade.

0 Karma
Reply
Solved! Jump to solution

LukeMurphey
Champion
‎04-11-2013 02:14 PM

What version of ES and Splunk you are on?

0 Karma
Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎04-11-2013 02:14 PM

I'm not sure of the exact root cause but I think it was due to some overly aggressive logging. Reportedly, the messages no longer appear with 5.0.2 and later. Incidentally, I don't see them anymore ever since I upgraded my installation.

Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎04-22-2013 12:50 AM

Thanks, for the response.

We are planning our upgrade at the moment, so I will this to the back of my mind.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...