Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting an error banner "[HTTP 404] (...) [{'text':'Unknown sid.','code': None, 'type': 'FATAL'}] when searching in Splunk Web and no results

hexx
Splunk Employee
Splunk Employee
‎04-23-2011 11:49 AM

This error banner is displayed every time a search is run, whether from the search bar or for searches embedded in views :

alt text

No search results are displayed from the UI, but CLI searches are working.

What is going on here? How can this be resolved?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎04-23-2011 11:49 AM

This error means that the search artifact (the file package containing the search results) requested by Splunk Web could not be found in $SPLUNK_HOME/var/run/splunk/dispatch for the search that was just dispatched.

In the error show above, the path to the real-time search artifact requested should be $SPLUNK_HOME/var/run/splunk/dispatch/rt_1302277839.33, but there is nothing there.

This problem commonly happens when the $SPLUNK_HOME/var/run/dispatch directory is hosted on a network device with a time setting behind the system clock of the operating system where splunkd is running.

What happens then is that the search artifacts are created in the dispatch directory with a modification time behind the system time known to splunkd :



[root@splunk-search-head dispatch]# pwd

/opt/splunk/var/run/splunk/dispatch

[root@splunk-search-head dispatch]# touch test ; ls -l test ; date

-rw-r--r-- 1 root root 0 Apr 22 22:16 test      <=== creation time assigned to the file by 

                                                        the NAS device : 22:16pm

Fri Apr 22 22:39:58 GMT 2011                    <=== system time at which the file was

                                                     created : 22:39pm

As you can see here, any file newly-created in the dispatch directory has a modification time 23 minutes behind the system time.

This means that any new search artifact created by an ad-hoc search will be evaluated by splunkd as having exceeded the default TTL (Time To Live) of 15 minutes and will therefore be immediately deleted.

For that reason, it is very important to ensure that the clock of any NAS device hosting the search dispatch directory is in synch with the clock of the system on which splunkd is running.

View solution in original post

Reply
Solved! Jump to solution

charles_cui
Engager
‎12-19-2012 11:38 PM

how can approach to the problem ?

0 Karma
Reply
Solved! Jump to solution

mwong
Splunk Employee
Splunk Employee
‎02-19-2012 08:16 PM

I have a similar case about that issue. Changing the time of the machine and close to NFS server time difference. The issue has gone.

Reply
Solved! Jump to solution

mzax
Splunk Employee
Splunk Employee
‎06-09-2011 01:57 PM

More detailed command to use from the NFS location:

touch var/run/splunk/dispatch/test ;  ls -l --time-style=full var/run/splunk/dispatch/test ; date

On Solaris it's:

touch var/run/splunk/dispatch/test ; ls -l -E var/run/splunk/dispatch/test ; date
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎04-23-2011 11:49 AM

This error means that the search artifact (the file package containing the search results) requested by Splunk Web could not be found in $SPLUNK_HOME/var/run/splunk/dispatch for the search that was just dispatched.

In the error show above, the path to the real-time search artifact requested should be $SPLUNK_HOME/var/run/splunk/dispatch/rt_1302277839.33, but there is nothing there.

This problem commonly happens when the $SPLUNK_HOME/var/run/dispatch directory is hosted on a network device with a time setting behind the system clock of the operating system where splunkd is running.

What happens then is that the search artifacts are created in the dispatch directory with a modification time behind the system time known to splunkd :



[root@splunk-search-head dispatch]# pwd

/opt/splunk/var/run/splunk/dispatch

[root@splunk-search-head dispatch]# touch test ; ls -l test ; date

-rw-r--r-- 1 root root 0 Apr 22 22:16 test      <=== creation time assigned to the file by 

                                                        the NAS device : 22:16pm

Fri Apr 22 22:39:58 GMT 2011                    <=== system time at which the file was

                                                     created : 22:39pm

As you can see here, any file newly-created in the dispatch directory has a modification time 23 minutes behind the system time.

This means that any new search artifact created by an ad-hoc search will be evaluated by splunkd as having exceeded the default TTL (Time To Live) of 15 minutes and will therefore be immediately deleted.

For that reason, it is very important to ensure that the clock of any NAS device hosting the search dispatch directory is in synch with the clock of the system on which splunkd is running.

Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎08-31-2011 06:27 PM

hexx: This is update;

limits.conf.spec says;

[search]

ttl =
* How long search artifacts should be stored on disk once completed, in seconds.
* Defaults to 600, which is equivalent to 10 minutes.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...