Splunk Search

Cannot find artifacts for savedsearch_ident

mfrost8
Builder

I have some saved searches that are generating the messages like the following when they attempt to run:

05-11-2010 11:00:11.531 ERROR SearchProcessor - Error in 'SearchOperator:loadjob': Cannot find artifacts for savedsearch_ident '<user>;search;<search name>'.

It's not clear to me if it's running successfully or not as this is not a common error for us. However, this error is repeating a lot and throwing these messages every 5 minutes to my splunkd logs which makes things look like I have hundreds of errors.

If I run this saved search manually, it runs fine.

I recently upgrade to 4.1.2 from 4.0.10, but I see the error occurring while we were at 4.0.10 as well.

Actually, the one odd thing I see is that all of these searches seem to be from the same user. Other saved searches are working without this error. But that user does have other saved searches that run without error.

Tags (1)
1 Solution

mfrost8
Builder

This was indeed the situation I mentioned where the user was attempting use the "rises by 1". Once we changed to "greater than 0", the problem went away. It was not my impression that the "rises by" functionality required anything special like a summary index so I'm not quite sure why I would have had that issue.

In any case, this has been resolved.

View solution in original post

tedandkristy
Engager

I had been trying to figure this one out for weeks and finally found that it was my syntax. The
loadjob savedsearch="user:app:my_search"
was not working correctly (I think something to do with a clustered environment without replication). I found the new syntax of
savedsearch "my_search" fixed the problem.

MasterOogway
Communicator

I know this is late to the game but I found the real reason why you were receiving that error.

ERROR SearchOperator:loadjob - Cannot find artifacts for savedsearch_ident

Usually this shows up when your trying to compare results from a current search to a previous one and the results from the earlier search cannot be found. Appears to be harmless knowing this will go away once the search condition is met.

0 Karma

mfrost8
Builder

This was indeed the situation I mentioned where the user was attempting use the "rises by 1". Once we changed to "greater than 0", the problem went away. It was not my impression that the "rises by" functionality required anything special like a summary index so I'm not quite sure why I would have had that issue.

In any case, this has been resolved.

vrmandadi
Builder

where do we change the "greater than 0"

0 Karma

sideview
SplunkTrust
SplunkTrust

It sounds like that user does not have sufficient privileges to see jobs from that saved search.

You can read more about permissions at a couple places in the developer manual, notably here: http://www.splunk.com/base/Documentation/4.1.2/Developer/Step5SetPermissions

and the savedsearches page may help as well. http://www.splunk.com/base/Documentation/4.1.2/Developer/SavedSearchesViews

0 Karma

mfrost8
Builder

As an additional followup, I think I found what this might be. The user who setup these saved searches was looking for the presence of a particular error message. If it existed, the saved search should send an e-mail message. However, the user had the conditions set to "rises by 1". What she really wanted was "greater than 0". I didn't see any particular information in the documentation saying there were caveats about using "rises by", but in this case, the event count would almost always be 0. I changed it to greater than 0 and have seen no errors in splunkd.log.

0 Karma

vrmandadi
Builder

where do we need to change the "greater than 0"

0 Karma

mfrost8
Builder

I had thought of that, but this user is in the same roles that I'm in -- admin, power, user and another locally-created role. Well, I also have the can_delete role, but I don't think that comes into play here.

Can I validate this configuration directly in files? That is, maybe what's shown for roles for this user in the web interface isn't actually what Splunk is seeing using via config files?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...