Archive
Highlighted

Skipped SavedSearches

Communicator

Hi!

I get sometimes messages that some savedsearches are skipped.

The only information what I get is an event in the _internal index

SavedSplunker - savedsearchid="nobody;search;ACCELERATE7CAC94EC-6F34-4F37-B192-9996EAE4C489searchnobody4467991e0c91c9caACCELERATE"

How can I determine, which savedsearch cause this messages and how can I modify the schedule?

Thanks
Rob

Tags (1)
0 Karma
Highlighted

Re: Skipped SavedSearches

Path Finder

Does your Splunk environment have a DMC configured? If so under Search>Scheduler Activity>Instance there are some dashboards that have drill downs that should help you to track down the skipped searches.

With it having 'ACCELERATE' you could also look in Settings>Searches, Reports, and Alerts. Use 'Nobody' as the owner, and see if any of them are Accelerated.

The DMC route is the best and quickest, as near the bottom of the page there is a 'Count of Skipped Reports By Name and Reason' that should give you the details you need.

Highlighted

Re: Skipped SavedSearches

Ultra Champion

This skipped saved searches behavior is very painful. One thing you can do is to look at the scheduling of these saved searches and try to space them out. If 30 of them are scheduled at the top of the hour and nothing else in the next couple of minutes, go and distribute them evenly. It's interesting because it goes to the area of distributed administration - power users don't have a view into the over-all scheduling and naturally they would keep their alerts at clean intervals. We, the admins, need to go and separate them. The product should help us more in this regard and potentially offer the power users "open reliable" spots...

0 Karma