Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert skipped - out of search disk space

adamblock2
Path Finder
‎04-08-2016 11:09 AM

We are currently running Splunk 6.2.3. One user has created an alert which for some reason is being skipped with the reason "Out of search disk space".

04-07-2016 23:55:01.126 -0400 INFO SavedSplunker - savedsearch_id="nobody;custom_app;Watch Team - After Hours", user="user1", app="custom_app", savedsearch_name="Watch Team - After Hours", status=skipped, reason="Out of search disk space.", scheduled_time=1460087700

04-07-2016 23:55:01.126 -0400 WARN SavedSplunker - Max alive instance_count=1 reached for savedsearch_id="nobody;custom_app;Watch Team - After Hours"

A user who is a member of the admin role cloned and scheduled the search, and it ran without issue.

After investigating the issue I found "rtSrchJobsQuota = 6" in the /etc/system/default/authorize.conf file. The user in question had previously configured/scheduled 6 searches/alerts - this would be the 7th. Am I correct in deducing that the rtSrchjobsQuota value is what is preventing this alert from running? If yes, would scheduled searches/alerts be considered "real time"?

Thank you.

Tags (1)
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎04-08-2016 12:23 PM

Hi adamblock2, based on the error it seems likely that the user is running into a srchDiskQuota limitation. Check the spec on authorize.conf for more info http://docs.splunk.com/Documentation/Splunk/latest/Admin/authorizeconf

Please let me know if this answers your question! 😄

0 Karma
Reply

adamblock2
Path Finder
‎04-11-2016 08:30 AM

What query could I use to ascertain how close a user is to the srchDiskQuota limit?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...