Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert skipped - out of search disk space

adamblock2
Path Finder
‎04-08-2016 11:09 AM

We are currently running Splunk 6.2.3. One user has created an alert which for some reason is being skipped with the reason "Out of search disk space".

04-07-2016 23:55:01.126 -0400 INFO SavedSplunker - savedsearch_id="nobody;custom_app;Watch Team - After Hours", user="user1", app="custom_app", savedsearch_name="Watch Team - After Hours", status=skipped, reason="Out of search disk space.", scheduled_time=1460087700

04-07-2016 23:55:01.126 -0400 WARN SavedSplunker - Max alive instance_count=1 reached for savedsearch_id="nobody;custom_app;Watch Team - After Hours"

A user who is a member of the admin role cloned and scheduled the search, and it ran without issue.

After investigating the issue I found "rtSrchJobsQuota = 6" in the /etc/system/default/authorize.conf file. The user in question had previously configured/scheduled 6 searches/alerts - this would be the 7th. Am I correct in deducing that the rtSrchjobsQuota value is what is preventing this alert from running? If yes, would scheduled searches/alerts be considered "real time"?

Thank you.

Tags (1)
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎04-08-2016 12:23 PM

Hi adamblock2, based on the error it seems likely that the user is running into a srchDiskQuota limitation. Check the spec on authorize.conf for more info http://docs.splunk.com/Documentation/Splunk/latest/Admin/authorizeconf

Please let me know if this answers your question! 😄

0 Karma
Reply

adamblock2
Path Finder
‎04-11-2016 08:30 AM

What query could I use to ascertain how close a user is to the srchDiskQuota limit?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...