Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Skipped SavedSearches

RobertRi
Communicator
‎06-07-2018 03:24 AM

Hi!

I get sometimes messages that some savedsearches are skipped.

The only information what I get is an event in the _internal index

SavedSplunker - savedsearch_id="nobody;search;ACCELERATE_7CAC94EC-6F34-4F37-B192-9996EAE4C489_search_nobody_4467991e0c91c9ca_ACCELERATE"

How can I determine, which savedsearch cause this messages and how can I modify the schedule?

Thanks
Rob

Tags (1)
0 Karma
Reply

ddrillic
Ultra Champion
‎06-07-2018 07:44 AM

This skipped saved searches behavior is very painful. One thing you can do is to look at the scheduling of these saved searches and try to space them out. If 30 of them are scheduled at the top of the hour and nothing else in the next couple of minutes, go and distribute them evenly. It's interesting because it goes to the area of distributed administration - power users don't have a view into the over-all scheduling and naturally they would keep their alerts at clean intervals. We, the admins, need to go and separate them. The product should help us more in this regard and potentially offer the power users "open reliable" spots...

0 Karma
Reply

joebisesi
Path Finder
‎06-07-2018 07:23 AM

Does your Splunk environment have a DMC configured? If so under Search>Scheduler Activity>Instance there are some dashboards that have drill downs that should help you to track down the skipped searches.

With it having 'ACCELERATE' you could also look in Settings>Searches, Reports, and Alerts. Use 'Nobody' as the owner, and see if any of them are Accelerated.

The DMC route is the best and quickest, as near the bottom of the page there is a 'Count of Skipped Reports By Name and Reason' that should give you the details you need.

Reply
Related Topics
skipped savedsearches
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...