Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I can't get fully results in distributed search.

yutaka1005
Builder
‎03-26-2019 10:18 PM

When I have searched in search head, following message was displayed.

error: Some events cannot be displayed because they cannot be fetched from the remote search peer(s). This is likely caused by the natural expiration of the related remote search jobs. To view the omitted events, run the search again.

Also, recently I feel search performance is slow.
Then I investigated cause of this problem, and found following log in each search peer.

  • WARN SearchResultWorkUnit - timed out, sending keepalive nConsecutiveKeepalive=27 currentSetStart=1548939053.000000
  • ERROR SearchResultWorkUnit - Error in transmit, writing to serialized transmit queue terminated.
  • Unable to fully write search results because of Broken pipe wrote 0 out of 2630 bytes

What can be considered as this cause other than "Insufficient value of ulimit on Indexer side" and "Network problem"?

Also, if there is a possibility that there is a network problem, will information for determining it be output to the internal log?

If anyone know about it, please tell me...

0 Karma
Reply

woodcock
Esteemed Legend
‎03-26-2019 11:15 PM

Run the Health Checks on your Monitoring Console, it will probably tell you that you have some combination of these 5 problems on your Indexers; fix ALL OF THEM:

1: THP is on
2: ulimits too low
3: Too few cores
4: Too little RAM
5: Too slow disk I/O
0 Karma
Reply

yutaka1005
Builder
‎03-28-2019 02:33 AM

I can't find problem with THP and ulimit.
Also cpu usage and memory usage is not too high.

The only point of concern is that the utilization of the partition where the hot and warm data of each Indexer are stored is close to 95%, so is this related?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...