Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can not find all my realtime alerts in the Job manager with running status

sudiptakp
New Member
‎03-16-2013 05:58 AM

I have 30 realtime e-mail alerts configured in splunk.

In Splunk Manager, it shows that all these searches have been scheduled. I can see the timestamps for all these searches in the schedule column in manager.

However, when I visit the job manager window, I can not find all these 30 jobs with status=running. I can find only 17 of them and 3 others totaling to 21.

Following settings have been applied to limits.conf files found in /etc/system/local as well as /etc/system/default.

max_searches_per_cpu = 4

base_max_searches = 6

max_rt_search_multiplier = 3

My hardware has a CPU with 2 cores.

My splunk version = 5.0.2

Tags (2)
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎03-16-2013 09:33 AM

limits.conf as suggested by it's name is intended to set limits within the scope of your hardware. The rule of thumb, is that Splunk occupies 1 core per search whether it is real time or historical. Historical searches release the core when they finish, and a real-time search will release the core when the alert triggers (or never if you just keep it running) which means you have to have the core capacity to allow for that.

So the intention of limits.conf is for someone with say, 16 cpu's trying to reduce the load on all of them. It won't expand the use of your 2 cores however.

You haven't mentioned whether these real-time searches are looking at a window (30 seconds for instance) or All Real-Time. That will effect how the scheduler runs the jobs. It will attempt to schedule it to kick off, but if there is no cpu available at that time, it will reschedule itself for another window. This doc explains how the scheduler decides priority in relation to concurrency:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Schedulesearchpriority

And this one explains the mechanics of a real-time search.
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutrealtimesearches

Because you are scheduling real-time searches you'll want to take into consideration the information in both docs.

Meanwhile, to get your alerts working while you sort the rest out, consider whether all of those scheduled alerts are required to run against the data prior to indexing (that's what real-time is). It's possible that some of the alerts would still be valid if they ran say, every minute or even every 5 minutes on the already indexed data. The efficiency of that will make more sense after you glance at the doc.

Hope this helps!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...