topic Re: Warning on the search in Splunk Search

Warning on the search

aniello_cerrato — Tue, 10 Apr 2018 09:58:45 GMT

Hi,

I have the below error when I execute the query on Splunk, the problem is present only in Production env and not in dev environment.

Search on most recent data has completed. Expect slower search speeds as we search the reduced buckets.

Please help me on this.

Thanks,
Aniello

Re: Warning on the search

gcusello — Tue, 10 Apr 2018 10:10:43 GMT

Hi aniello_cerrato
could you share more information?
what's the error?
what kind of search you're using?

Ciao.
Giuseppe

Re: Warning on the search

aniello_cerrato — Tue, 29 Sep 2020 18:55:26 GMT

Hi Giuseppe,

I execute this query, the warning appears on the dashboard.

index=devops source="DOO_DEPLOY_HST" |dedup ID | search STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ | timechart span=1d count by STATUS

Re: Warning on the search

gcusello — Tue, 29 Sep 2020 18:58:02 GMT

Hi aniello_cerrato,
$SYSTEM$, $RELEASE_WIND$, $RELEASE_MODE$ and $ENV_DEPLOY$ are dashboard tokens, is it correct?
At first modify your search because best practices say that it's conevenient to have search parameters as left as you can.

index=devops source="DOO_DEPLOY_HST" STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ 
| dedup ID
| timechart span=1d count by STATUS

Then what's Time period you used?
In addition, $SYSTEM$, $RELEASE_MODE$ and $ENV_DEPLOY$ are full text searches or field searches?
If you use a not structured search on a large time period it's easy to have slow performaces.

Warning message says that you have events in many buckets, so search could be slow.
Did you used default parameter for ingestion or do you used special values?

Ciao.
Giuseppe

Re: Warning on the search

aniello_cerrato — Tue, 10 Apr 2018 12:23:06 GMT

Hi Giuseppe,

thanks for the reply. I use the same query also in test environment and I don't have this warning.

What you mean about the below point?

Did you used default parameter for ingestion or do you used special values?

Re: Warning on the search

gcusello — Tue, 10 Apr 2018 12:32:31 GMT

This means that you can configure the number of buckets to archive logs.

I don't know why in test environment you haven't this message, have you many concurrent users?
do you have this message every time or sometimes: it doesn't seem an overload problem.

Bye.
giuseppe

Re: Warning on the search

aniello_cerrato — Tue, 10 Apr 2018 12:37:37 GMT

I have this problem always in production env, there is some condition on the index?

Re: Warning on the search

gcusello — Tue, 10 Apr 2018 14:32:37 GMT

on index you can give access to a user role.
Have you the message only from a user or also running search by admin?
If you haven't message by admin problem is on role permissions.

Bye.
Giuseppe