Getting Data In

How to detect cause & source of Search delays on Splunk Ent. In a clustered SH + Indexer environment. Thank u

SamHTexas
Builder

This includes High priority mostly. How do I view a list & provide a solution please. The error indicating the delays shows up as error message on the Ent. & even the ES server we have. Thanks a million.

Labels (2)
Tags (1)
0 Karma

tshah-splunk
Splunk Employee
Splunk Employee

There's a dashboard in Monitoring Console which displays the list of scheduled searches, their skip ratio and also the reason for them being skipped. You can navigate to it from Settings -> Monitoring Console -> Search -> Scheduler Activity -> Scheduler Activity: Instance

Under this dashboard when you scroll down, there's a panel named "Count of Skipped Reports by Name and Reason

Let me know if this helps your objective.

---
If you find the answer helpful, an upvote/karma is appreciated

SamHTexas
Builder

How would I do this on the ES? Does the MC has to be in Distributed mode? Thx a bunch.

Tags (1)
0 Karma

tshah-splunk
Splunk Employee
Splunk Employee

Monitoring Console can work on Standalone mode as well. If you want the whole environment to be monitored via Monitoring Console, then all the Splunk Components should be added as distributed search peer to the monitoring console. You can find the related information here - https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Addinstancesassearchpeers
https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Deploymentsetupsteps 

To configure monitoring console for standalone environment, find reference here - https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Configureinstandalonemode 
https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Singleinstancesetup 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...