https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430412#M123089 <P>Hello @skopelpin,</P> <P>We are using Splunk 7.1.1 and I went to the particular alert and clicked on the advance edit and changed the schedule_windoow to auto from 0.Is this the process or do we need to change by logging into each search head</P> Wed, 31 Oct 2018 20:06:23 GMT vrmandadi 2018-10-31T20:06:23Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430403#M123080 <P>We are using Splunk 7.1.1 with three search heads in a cluster environment.Each search head has 40 CPU cores.A lot of our saved searches are getting skipped because of the maximum concurrent searches are reached(69).I tried following some the answers posted previously and made change in savedsearches.conf --realtime_schedule = 0. </P> <P>After making the above change I see lot searches going into status=continued.</P> <P>Questions:</P> <P>1) will the continued searches run ,when do they run and how to check if they have ran<BR /> 2) Is there any other way or any .conf changes that i need to make to make this searches run<BR /> 3)What changes can I make in the limits.conf file to get the searches running</P> <P>Thanks,<BR /> Vineeth</P> Fri, 19 Oct 2018 02:27:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430403#M123080 vrmandadi 2018-10-19T02:27:11Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430404#M123081 <P>Hi @vrmandadi,</P> <P>Have you looked at answer <A href="https://answers.splunk.com/answers/270544/how-to-calculate-splunk-search-concurrency-limit-f.html">https://answers.splunk.com/answers/270544/how-to-calculate-splunk-search-concurrency-limit-f.html</A> to calculate how many different type of searches you can run concurrently on Splunk ?</P> <P>Additionally as you mentioned that each search head have 40 CPU cores which means each search head can run 46 historical search concurrently. Now you need to check whether captain is delegating scheduled searches to all search heads or not, more information you can find on this question <A href="https://answers.splunk.com/answers/329699/why-does-my-search-head-cluster-captain-start-dele-1.html">https://answers.splunk.com/answers/329699/why-does-my-search-head-cluster-captain-start-dele-1.html</A></P> <P>If all search heads are running at full capacity means all CPU cores occupied by scheduled searches concurrently then I'll suggest to add more search head nodes into search head cluster or fine tune searches which are taking longer to run.</P> Fri, 19 Oct 2018 08:18:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430404#M123081 harsmarvania57 2018-10-19T08:18:24Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430405#M123082 <P>Hello harsmarvania,</P> <P>Thank you for your reply,<BR /> Well My question is relating to status=continued on whether this searches run again or will they be in the same state?.I did check the whether the search head is delegating searches to all search heads and that looks good.Is there a way that we can configure for particular searches to to take high priority than other when multiple searches run at a atime</P> Fri, 19 Oct 2018 15:12:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430405#M123082 vrmandadi 2018-10-19T15:12:20Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430406#M123083 <P>Can I change the max_searches_per_cpu=2 from 1.Does this help for 40 cores?</P> Tue, 29 Sep 2020 21:39:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430406#M123083 vrmandadi 2020-09-29T21:39:52Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430407#M123084 <P>If you change <CODE>max_searches_per_cpu=2</CODE>, your each search head will able to run 86 schedule searches but I'll not recommend this because it will impact search performance (splunk search head will divide same resources with double schedule searches compare to earlier and due to that it will take more time to run) and you'll not get benefit of it.</P> Mon, 22 Oct 2018 15:44:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430407#M123084 harsmarvania57 2018-10-22T15:44:32Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430408#M123085 <P>1) will the continued searches run ,when do they run and how to check if they have ran</P> Mon, 29 Oct 2018 15:00:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430408#M123085 vrmandadi 2018-10-29T15:00:29Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430409#M123086 <P>Check the status based on sid on the searches with status=continued.</P> Mon, 29 Oct 2018 15:25:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430409#M123086 somesoni2 2018-10-29T15:25:46Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430410#M123087 <P>Hello @Somesoni2,</P> <P>I did check them they are running late some are running after 3 hours ,so what is a good work around for these issues,what can be improved </P> Wed, 31 Oct 2018 19:12:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430410#M123087 vrmandadi 2018-10-31T19:12:52Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430411#M123088 <P>You should check your indexer I/O, look at the reason for the skips by checking the internal index, and check out the number of scheduled searches to see if they are stacked on top of each other. You should probably set your schedule_window=auto rather than the default of 0 too. </P> Wed, 31 Oct 2018 19:18:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430411#M123088 skoelpin 2018-10-31T19:18:55Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430412#M123089 <P>Hello @skopelpin,</P> <P>We are using Splunk 7.1.1 and I went to the particular alert and clicked on the advance edit and changed the schedule_windoow to auto from 0.Is this the process or do we need to change by logging into each search head</P> Wed, 31 Oct 2018 20:06:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430412#M123089 vrmandadi 2018-10-31T20:06:23Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430413#M123090 <P>A better method would be to change the default value on the deployer and push it out to all the search heads so new alerts will have an auto value</P> Thu, 01 Nov 2018 13:45:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-the-maximun-concurrent-historical-searches/m-p/430413#M123090 skoelpin 2018-11-01T13:45:42Z