Solved: Skipped scheduler searches :Your maximum number of...

ankithnageshshe · ‎06-11-2018

Hello All,

Lately I see a lot of skipped scheduler searches in my search head cluster (3) with the reason "Your maximum number of concurrent searches has been reached. usage=3104 quota=3000 user=admin".

If I view from DMC console, I see not more than 200 searches run for each search head summing up to almost 600~700 searches for admin user in the last 4 hours.

I do not see any active running searches neither in the search head job manager nor on the Scheduler activity in the DMC.
However I see a lot of deferred jobs for one of the search head in DMC console.

Do you think rolling restart of search heads will help here as I do not see any search related issue here.

Regards,
Ankith

ankithnageshshe · ‎06-12-2018

Hi All,

Rolling restart of the SHC fixed the issue. Brought down the deferred jobs from 90K to 2K after the rolling restart.

But I'am trying to understand the difference between concurrency search quota for user( admin) and the historical system wide search quota. How this will impact my SHC performance?

Regards,
Ankith

View solution in original post

ankithnageshshe · ‎06-12-2018

Hi All,

Rolling restart of the SHC fixed the issue. Brought down the deferred jobs from 90K to 2K after the rolling restart.

But I'am trying to understand the difference between concurrency search quota for user( admin) and the historical system wide search quota. How this will impact my SHC performance?

Regards,
Ankith

Skipped scheduler searches :Your maximum number of concurrent searches has been reached. usage=3104 quota=3000 user=admin.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases