ESS queries not working - error

[bossi6of9]

Hi,

I'm trying to query an elastic search instance, but I never get any results and the logs are showing an error. Am I doing something wrong?

Query:

|ess eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index=netflow-2018.05.01 earliest="now-2h" query="host:1.2.3.4" fields=host

Error: 5-02-2018 12:40:47.197 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/elasticsplunk-master/bin/elasticsplunk.py EXECUTE eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index=netflow-2018.05.01 earliest="now-2h" query="host:1.2.3.4" fields=host': 2018-05-02 12:40:47,197, Level=DEBUG, Pid=3948, Logger=splunklib, File=search_command.py, Line=624, ElasticSplunk.process finished under protocol_version=1 05-02-2018 12:40:47.238 INFO script - Invoked script ess with 399 input bytes (0 events). Returned 0 output bytes in 403 ms.

[bossi6of9]

Update:

Started using the splunk time-picker and made some progress. Now, I get the following: External search command 'ess' returned error code 1. Script output = "error_message=ScanError at "/opt/splunk/etc/apps/elasticsplunk-master/bin/elasticsearch/helpers/init.py", line 394 : Scroll request has only succeeded on 4 shards out of 5. "

[brunotm]

Hi @bossi6of9, this last error indicates a problem with your elasticsearch search. Does the same search with the same time range in kibana produce different results? Which version of elasticsearch are you searching against?

[bossi6of9]

Sorry for not getting back earlier - this is all set. Issue on my side.

[hexvolt]

@bossi6of9 what was the issue?!