topic How can I find duplicate scheduled searches running in a search head clustering environment? in Deployment Architecture https://community.splunk.com/t5/Deployment-Architecture/How-can-I-find-duplicate-scheduled-searches-running-in-a-search/m-p/209682#M7877 <P>I have a three Node Search Head Cluster environment and I suspect that some of the scheduled searches are running multiple times. How can I find these duplicate Scheduled searches running in an SHC environment.</P> Tue, 19 Apr 2016 21:35:25 GMT sat94541 2016-04-19T21:35:25Z How can I find duplicate scheduled searches running in a search head clustering environment? https://community.splunk.com/t5/Deployment-Architecture/How-can-I-find-duplicate-scheduled-searches-running-in-a-search/m-p/209682#M7877 <P>I have a three Node Search Head Cluster environment and I suspect that some of the scheduled searches are running multiple times. How can I find these duplicate Scheduled searches running in an SHC environment.</P> Tue, 19 Apr 2016 21:35:25 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-I-find-duplicate-scheduled-searches-running-in-a-search/m-p/209682#M7877 sat94541 2016-04-19T21:35:25Z Re: How can I find duplicate scheduled searches running in a search head clustering environment? https://community.splunk.com/t5/Deployment-Architecture/How-can-I-find-duplicate-scheduled-searches-running-in-a-search/m-p/209683#M7878 <P>If you have a DMC that searches across all SHC member on Scheduler.log - you can proceed with the following steps to debug, or else you need to index Scheduler.log from all SHC members somewhere.</P> <P>1)Run the search below to check if any scheduled search was run multiple times:</P> <PRE><CODE>( host= OR host=) ) source=*scheduler.log status=success | rex field=sid "(?\w+_\w+_\w+_\w+_at_\d+)_" | eval secDiff=dispatch_time-scheduled_time | eval schedT=strftime(scheduled_time, "%F %H:%M:%S") | eval dispatchT=strftime(dispatch_time, "%F %H:%M:%S") | transaction shortID keepevicted=t | search linecount&gt;1 |table savedsearch_name, sid, schedT, dispatchT, secDiff, alert_actions </CODE></PRE> <P>Sample Result:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1250iC747AFE5B4B8BE37/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>2) Next you can focus on duplicate sid of one saved search like below to get more detail on the sid like and use the search below to get more details </P> <PRE><CODE> ( host= OR host= ) AND ( (source=*scheduler.log* AND status=success AND ( sid=scheduler__admin_dWlfc21zcw__RMD5ae47099b8f1c50d5_at_1460388900_111_96EB1F29-E71E-49E0-982C-767B6E64BE32 OR sid=scheduler__admin_dWlfc21zcw__RMD5ae47099b8f1c50d5_at_1460388900_122_181ABE0B-D122-42D2-A0C1-BACD9B46F50A )) OR ( source=*splunkd.log* AND "Making node the captain" ) ) | table _raw host </CODE></PRE> <P>Result: In this case it shows duplicate were caused by the captain switch.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1251i3BA8F7EFC276C61B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>In this case duplicate were caused due to switch Captain- this is from Splunk version 6.2.6.</P> Tue, 19 Apr 2016 22:30:14 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-I-find-duplicate-scheduled-searches-running-in-a-search/m-p/209683#M7878 rbal_splunk 2016-04-19T22:30:14Z