Troubleshoot federated searches
Federated searches can fail to return events for a variety of reasons. The following table covers the most common error messages and conditions, and gives you some ways to resolve them.
| Error message or condition | Resolution | Link to more information |
|---|---|---|
| Invalid federated index specified | Provide the name of a federated index that exists on your local deployment. | Create a federated index |
| Invalid federated provider specified. | Your search references a federated index which specifies a nonexistent federated provider in its definition. Contact your administrator and have them correct the federated index definition. | Create a federated index |
| Unauthorized. | The service account credentials that have been set up for a federated provider in this search may be incorrect. Verify that the Service Account Username and Service Account Password that have been designated for the federated provider are correct. | Service accounts and security for Federated Search for Splunk |
| If the federated provider uses transparent mode and the service account user for the provider has a role that does not have the fsh_manage capability, searches might not run. | Service accounts and security for Federated Search for Splunk | |
| If the federated provider uses standard mode, the service account user for the federated provider should have permission to search the index, saved search, and data model datasets on the federated provider that are involved in the search.For example, if the search references an index dataset on the federated provider, the service account for that federated provider should have the ability to search that index dataset. This ability is associated with the service account role. | Manage knowledge object permissions in the Knowledge Manager Manual | |
| Zero results returned. | If the federated provider uses standard mode, verify that your role's permissions give you access to the federated indexes referenced in the search. | Service accounts and security for Federated Search for Splunk |
| If the federated provider uses standard mode, verify that the federated index is mapped to a valid remote dataset. | Create a federated index | |
| If the remote dataset you are trying to search is an events index, verify that the events index is active. | If you need to verify whether an index is active:
|
|
| If you are using a standard mode federated provider and the remote dataset you are trying to search is a knowledge object such as a saved search or data model, verify that the knowledge object's permissions enable you to search it. | Manage knowledge object permissions in the Knowledge Manager Manual | |
| If possible, run a search job directly on the remote search head to verify that the search head is working correctly. | ||
| If you are using a standard mode federated provider, verify that the remote dataset that the federated index maps to contains more than zero events. | ||
| Search fails to complete, possibly with the error "Socket error during transaction. Socket error: Success" | Splunk software can terminate federated searches when their search result preview generation duration exceeds a timeout set by another component in your network, such as an elastic load balancer (ELB). When your search is terminated in this manner you can change the max_preview_generation_duration setting in federated.conf to a number of seconds lower than the timeout.For example, if you have an ELB that times out at 60 seconds, you might set the max_preview_generation_duration to 55.
|
You can change this value with a REST API call. See Federated search endpoint descriptions in the REST API Reference Manual. |
| Knowledge object issues for standard mode federated providers | The knowledge objects aren't where the federated provider definition indicates they will be. Verify that the knowledge objects belong to the application identified by Application Short Name, and that the application is installed on the federated provider. | Set the app context for standard mode federated providers |
| Your search includes custom knowledge objects that are not duplicated on the remote search head of the federated provider or the local federated search head, as needed. | Manage knowledge objects for standard mode federated providers | |
| Verify that the permissions of knowledge objects on the remote search head are set so that users running federated searches from the local search head can access them. | Manage knowledge object permissions in the Knowledge Manager Manual. | |
| Knowledge object issues for transparent mode federated providers | Did you run a search within minutes of setting up a transparent mode federated provider? The process by which knowledge objects are transferred from your local deployment to a transparent mode federated provider takes a few minutes. You might be encountering issues because the knowledge objects upon which your search depends aren't yet present on the remote search head.This latency can vary depending on your network bandwidth and the size of the knowledge object bundle. Wait and try your search again. |