Solved: Re: Display error :Could not create search

kavana · ‎01-03-2017

create many query in panels, but some panels can display right search result, some can not and display the error:Could not create search .

I deleted some panels so that all the panels can display right search result.

So, are there too many query or SPL in my APP?

By the way, the error panels were different when run the search each time（error display in which panels are look like random）.

＜updated＞
I change the IE to Chrome then run the search again, everything gonna be OK !
Is it bug for splunk ?
How to fix it if I have to use IE ?

kalianov · ‎01-04-2017

I think you need to check parameters (base_max_searches, max_searches_per_cpu, max_rt_search_multiplier) in file limits.conf in [search] section.
Caution: do not change limits.conf settings unless you know what you are doing.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Limitsconf#.5Bsearch.5D

Also read this:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Report/Configurethepriorityofscheduledreports

View solution in original post

eregon · ‎04-03-2019

You should check what are the hardware resources of your respective search-head (or maybe you have a single-instance Splunk?) and what are the hardware resources of the machine you are using to display your dashboard (your workstation/notebook/...). "Could not create search" is caused by timeout, and it may have causes on both server and client side.

On client-side, this may be caused (among other causes) by slow processing in client-side browser. This corresponds to your experience of Chrome suffering less than IE (Chrome is known to be more efficient). Try to display your dashboard on more powerful computer (or at least kill all other applications and browser tabs).

If the problem is in insufficient resources of the search-head (you should see constantly high CPU load, check your monitoring console), try to reduce the load by reducing the number of concurrent searches (eg. remove some panels) and/or simplyfying your queries. You should also consider upgrading your server hardware.

Increasing values in limits.conf (as discussed under the other answer) can actually make things worse in such case (it is like bringing even more traffic to a street suffering from regular traffic jams). Tuning the limits is rather complex topic that can not be explained in a short answer here and is affected by many aspects (including your topology etc.). Without good understanding of how Splunk works under the hood, this might be a kind of black magic. Definitely not a thing to experiment with in a production environments.

RogerMay · ‎04-11-2019

I accept that various concurrent search settings can initially cause this problem, HOWEVER, the main issue for me is that even with each panel auto refreshing and the dashboard as a whole auto refreshing, the message does not go away. It is only when the browser is refreshed with an F5 that the search is retried.

niketn · ‎01-04-2017

Have you used post processing in your search queries?
Are you passing statistically aggregated data or raw events through post processing?
Also how many queries are you trying to run?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kavana · ‎01-05-2017

Sorry,I'm rookie about splunk.
How can I distinguish if I used post processing ?

niketn · ‎01-05-2017

In your <search> tags do you see id="<SomeSearchName>" and then base="<SomeSearchName>" ?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kavana · ‎01-05-2017

There is no id="" and then base="" in tags.

niketn · ‎01-05-2017

Also check your earliest and latest tags whether there is realtime searh rt used or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kalianov · ‎01-04-2017

I think you need to check parameters (base_max_searches, max_searches_per_cpu, max_rt_search_multiplier) in file limits.conf in [search] section.
Caution: do not change limits.conf settings unless you know what you are doing.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Limitsconf#.5Bsearch.5D

Also read this:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Report/Configurethepriorityofscheduledreports

kavana · ‎01-04-2017

Thank you so much!

The default value of 「base_max_searches」 in limits.conf is 6, I increaseｄ the value(to 100) then all the panels also can be run in IE and no error.

Cuyose · ‎11-09-2017

This has not helped my situation. We are not receiving any errors I can find in the logs however routinely receive "Could not create search" in dashboard panels randomly.

kavana · ‎01-04-2017

unfortunately, Just first time to run the searches are OK.

The error happens again after first time in IE....

kalianov · ‎01-10-2017

base_max_searches = 100 is too much.

max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches

max_rt_searches = max_rt_search_multiplier x max_hist_searches

Display error :Could not create search

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM