Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scheduler stop working

bckq
Path Finder
‎10-18-2013 02:31 AM

I have about 150-200 scheduled searches that runs every minute. Most of searches look for data from 15 minutes till now. I noticed, that sometimes scheduler is stop working. Once it is for 2 minutes, sometimes even for 15 oraz 30 minutes. I monitor number of entries to scheduler.log and you can see the result of my tests. This situation affect on my dashboards. When scheduler has stopped, when I refresh my dashboard I will see old data, from last search done. This is serious problem, because I use Splunk for monitoring. This line should be always solid and constant.

Number of entries to scheduler log per minute.
Number of entries to scheduler log per minute.

Another thing is why Splunk runs only ~100 searches per minute if I have 200 to do.

I am using Splunk 5.0.4. One search head and two indexers.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-18-2013 05:05 AM

There is a finite number of searches that splunk will run concurrently and it depends on the resources (more specifically the number of CPU cores) that your system has. While you may want the scheduler to run 200 searches per minute it may not have the capacity to do so due to insufficient number of cores (or long runtimes of each search). When that capacity is reached, by default the scheduler will skip starting/executing of the next instance of a search unless you change governing defaults in limits.conf. However, the change will not really help in actually completing said search - it will only start it and the search will run/complete when the operating system has enough resources to do so (ie. when the currently running searches release them).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bckq
Path Finder
‎10-18-2013 07:33 AM

IBM HS22 with 24 cores and 24GB RAM.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-18-2013 05:05 AM

There is a finite number of searches that splunk will run concurrently and it depends on the resources (more specifically the number of CPU cores) that your system has. While you may want the scheduler to run 200 searches per minute it may not have the capacity to do so due to insufficient number of cores (or long runtimes of each search). When that capacity is reached, by default the scheduler will skip starting/executing of the next instance of a search unless you change governing defaults in limits.conf. However, the change will not really help in actually completing said search - it will only start it and the search will run/complete when the operating system has enough resources to do so (ie. when the currently running searches release them).

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-18-2013 07:45 AM

I cannot say why without looking at the scheduler.log or splunkd.log but I would assume that maybe it is because the run duration of those searches is such that the scheduler cannot run new searches until some finish.

0 Karma
Reply
Solved! Jump to solution

bckq
Path Finder
‎10-18-2013 07:34 AM

I understand that I cannot run more searches in specified time, but why does the scheduler stop working for example 15-20 minutes and then start without reason again?

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-18-2013 04:16 AM

How much CPU/RAM does your Search Head / Indexers have?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...