All Apps and Add-ons

SoS - no results returned for the "Distributed Searches Memory Usage" view

Sqig
Path Finder

Hi. We are trying the Splunk on Splunk app for the first time because one of our two environments is constantly being hammered.

We have search heads in a pool and we have 4 Indexers for distributed search.

Splunk version is 4.3.3. Latest S.o.S. is installed on the search heads and the SoS TA is installed on the indexers. On all servers, I have enabled the two scripted inputs.

When I pull up the 20 most memory intensive searches, I get No Data returned. The Job Inspector shows the following information, but I have no idea why all of these fields are missing. I'm hoping someone has some insight! Thanks.

DEBUG: Specified field(s) missing from results: '_time', 'search', 'search_head', 'user'
DEBUG: [splunk1-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk2-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk3-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk4-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [subsearch]: base lispy: [ AND index::_audit search splunk_server::splunk3-head-brn1 ]
DEBUG: base lispy: [ AND index::sos sourcetype::ps ]
DEBUG: search context: user="amurray", app="sos", bs-pathname="/app/splunk_mounted/etc"
1 Solution

hexx
Splunk Employee
Splunk Employee

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

View solution in original post

hexx
Splunk Employee
Splunk Employee

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...