Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Deployment Architecture
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Why are ad-hoc jobs not expiring in a Splunk 6.2.6...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmugglet
Communicator
09-27-2015
05:24 PM
We've recently moved our production search heads to a search head cluster, since last week (6.2.6?) I have noticed that any ad-hoc jobs (via REST API or WEB UI) are not expiring and quickly stack up.
I've checked the limits.conf and savedsearches.conf, and have confirmed that the ttl's are set to 600 seconds or less.
This only happens in a clustered environment. We have dev servers running the exact same searches without issue.
In the job inspector info below, I can see that the job was created yesterday. It has completed successfully and has TTLs of 600 seconds, so why is it still there?? The expiration time just updates to now whenever I refresh the jobs list.
Is there some config specific to SHC that sets the TTL for completed jobs?
This is an example from the job inspector
Search job inspector
This search has completed and has returned 1,192 results by scanning 4,986 events in 8.404 seconds.
The following messages were returned by the search subsystem:
INFO: Your timerange was substituted based on your search string
(SID: 1443331931.9_ECBEC051-E014-4F98-95CC-90307C8D43D7) search.log
Execution costs
Duration (seconds) Component Invocations Input count Output count
0.16 command.addinfo 158 4,808 4,808
0.02 command.eval 5 19,877 19,877
0.07 command.fields 158 4,808 4,808
0.00 command.presort 1 1,192 1,192
0.91 command.prestats 158 4,808 4,742
21.69 command.search 317 8,347 10,808
6.22 command.search.rawdata 149 - -
0.74 command.search.kv 149 - -
0.46 command.search.typer 149 4,808 4,808
0.32 command.search.filter 309 - -
0.15 command.search.calcfields 149 4,986 4,986
0.15 command.search.fieldalias 149 4,986 4,986
0.09 command.search.lookups 149 4,986 4,986
0.08 command.search.tags 149 4,808 4,808
0.05 command.search.summary 157 - -
0.00 command.search.index.usec_1_8 38,306 - -
0.00 command.search.index.usec_32768_262144 2 - -
0.00 command.search.index.usec_4096_32768 838 - -
0.00 command.search.index.usec_512_4096 68 - -
0.00 command.search.index.usec_64_512 153 - -
0.00 command.search.index.usec_8_64 1,053 - -
0.00 command.sort 1 1,192 1,192
0.12 command.stats 1 - 3,539
0.61 command.stats.execute_input 159 - -
0.15 command.stats.execute_output 1 - -
0.00 command.table 1 1,192 2,384
0.00 dispatch.check_disk_usage 1 - -
0.08 dispatch.createdSearchResultInfrastructure 1 - -
0.06 dispatch.evaluate 1 - -
0.06 dispatch.evaluate.search 2 - -
0.00 dispatch.evaluate.eval 5 - -
0.00 dispatch.evaluate.stats 2 - -
0.00 dispatch.evaluate.sort 1 - -
0.00 dispatch.evaluate.table 1 - -
7.32 dispatch.fetch 159 - -
0.00 dispatch.localSearch 1 - -
0.32 dispatch.parserThread 157 - -
0.00 dispatch.stream.local 1 - -
22.39 dispatch.stream.remote 157 - 32,716,802
0.03 dispatch.writeStatus 12 - -
0.26 startup.configuration 9 - -
3.49 startup.handoff 9 - -
Search job properties
bundleVersion 4206439116757466412
canSummarize 1
**createTime 2015-09-27T15:32:11.000+10:00**
cursorTime 1970-01-01T10:00:00.000+10:00
defaultSaveTTL 604800
**defaultTTL 600**
delegate None
diskUsage 188416
**dispatchState DONE**
doneProgress 1.0
dropCount 0
eai:acl
{
"app": "apm_snpm",
"can_write": "1",
"modifiable": "1",
"owner": "username",
"perms": {
"read": [
"username"
],
"write": [
"username"
]
},
"sharing": "global",
**"ttl": "600"**
}
earliestTime 2015-09-13T00:00:00.000+10:00
eventAvailableCount 0
eventCount 4808
eventFieldCount 0
eventIsStreaming True
eventIsTruncated True
eventSearch search (eventtype="summary_cvc_util") eventtype=summary_sanitized earliest=1442066400 latest=1443276000 CVC_ID="CVC000000123456"
eventSorting none
isBatchModeSearch True
isDone True
isFailed False
isFinalized False
isGoodSummarizationCandidate 1
isPaused False
isPreviewEnabled False
isRealTimeSearch False
isRemoteTimeline False
isSaved False
isSavedSearch False
isTimeCursored 1
isZombie False
keywords cvc_id::cvc000000123456 earliest::1442066400 eventtype::summary_cvc_util eventtype::summary_sanitized latest::1443276000 tclass::4
label None
latestTime 2015-09-27T00:00:00.000+10:00
modifiedTime 2015-09-28T10:10:59.478+10:00
normalizedSearch litsearch foo bar
numPreviews 0
pid 19020
priority 5
reduceSearch foo bar
request
{
"namespace": "apm_snpm",
"search": "| savedsearch cvc_util_up_down_green cvcid=\"CVC000000123456\" startdate=\"1442066400\" enddate=\"1443276000\" | search tclass=4 | sort 0 date | table date, ACCESS_SEEKER_ID, CSA_ID, POI_CODE, POI_STATE, CVC_ID, tclass, bandwidth, inboundUtilizationPcnt, inboundThroughputMbps, inboundDroppedPcnt, inboundDroppedMbps, outboundUtilizationPcnt, outboundThroughputMbps, outboundDroppedPcnt, outboundDroppedMbps"
}
resultCount 1192
resultIsStreaming False
resultPreviewCount 1192
runDuration 8.404
runtime
{
"auto_cancel": "0",
"auto_pause": "0"
}
scanCount 4986
search | savedsearch cvc_util_up_down_green cvcid="CVC000000123456" startdate="1442066400" enddate="1443276000" | search tclass=4 | sort 0 date | table date, ACCESS_SEEKER_ID, CSA_ID, POI_CODE, POI_STATE, CVC_ID, tclass, bandwidth, inboundUtilizationPcnt, inboundThroughputMbps, inboundDroppedPcnt, inboundDroppedMbps, outboundUtilizationPcnt, outboundThroughputMbps, outboundDroppedPcnt, outboundDroppedMbps
searchCanBeEventType 0
searchEarliestTime 1442066400.000000000
searchLatestTime 1443276000.000000000
searchProviders
[
"indexer1-heavy",
"indexer2-heavy",
"indexer3-heavy",
"indexer4-heavy",
"indexer5-heavy",
"indexer6-heavy",
"indexer7-heavy",
"indexer8-heavy",
"searchead1-heavy"
]
sid 1443331931.9_ECBEC051-E014-4F98-95CC-90307C8D43D7
statusBuckets 0
ttl 600
Additional info search.log
Server info: Splunk 6.2.6, foo.bar.local:8000, Mon Sep 28 10:10:59 2015 User: keithmuggleton
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmugglet
Communicator
12-10-2015
09:31 PM
We've recently upgraded to 6.3.1 and this issue seems to have resolved itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmugglet
Communicator
12-10-2015
09:31 PM
We've recently upgraded to 6.3.1 and this issue seems to have resolved itself.
Get Updates on the Splunk Community!
Monitoring Amazon Elastic Kubernetes Service (EKS)
As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...
Explore the Latest Educational Offerings from Splunk (November Releases)
At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...
