All Apps and Add-ons

SoS - no results returned for the "Distributed Searches Memory Usage" view

Sqig
Path Finder

Hi. We are trying the Splunk on Splunk app for the first time because one of our two environments is constantly being hammered.

We have search heads in a pool and we have 4 Indexers for distributed search.

Splunk version is 4.3.3. Latest S.o.S. is installed on the search heads and the SoS TA is installed on the indexers. On all servers, I have enabled the two scripted inputs.

When I pull up the 20 most memory intensive searches, I get No Data returned. The Job Inspector shows the following information, but I have no idea why all of these fields are missing. I'm hoping someone has some insight! Thanks.

DEBUG: Specified field(s) missing from results: '_time', 'search', 'search_head', 'user'
DEBUG: [splunk1-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk2-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk3-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk4-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [subsearch]: base lispy: [ AND index::_audit search splunk_server::splunk3-head-brn1 ]
DEBUG: base lispy: [ AND index::sos sourcetype::ps ]
DEBUG: search context: user="amurray", app="sos", bs-pathname="/app/splunk_mounted/etc"
1 Solution

hexx
Splunk Employee
Splunk Employee

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

View solution in original post

hexx
Splunk Employee
Splunk Employee

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...