How to set workload management rules?

saleshai · ‎06-15-2023

Hi,

I'm trying to set 2 rules in my workload management pool -

search_type=adhoc AND runtime>1m -> Move search to alternate Pool: limited_perf

&

search_type=adhoc AND runtime>10m -> Abort search

The second condition is not getting picked & I still see many long running searches under the Expensive search dashboard. I thought it is a problem with the way these conditions are defined, so I tried changing it to -

search_type=adhoc AND (runtime>1m AND runtime<=10m) - But its throwing error

ERROR: Workload rule "move_longrunning_to_limited_pool" validation failed with error=invalid predicate format 'runtime<=10m'

Where am I going wrong?

caiosalonso · ‎06-16-2023

Hi,

Just checking, if you use just runtime<10m instead of runtime<=10, as below, you get the same invalid predicate format error?

search_type=adhoc AND (runtime>1m AND runtime<10m)

Also, only the second rule that should abort the search is not working? The first one is working as expected?

saleshai · ‎06-18-2023

Hi, So it did not work even with taking the = sign out.

I figured, the workload rules execute as per sequence. The order of the rules is important. Rules are evaluated in order from top to bottom. When I changed the sequence of both rules, it worked correctly -

Rule 1 - search_type=adhoc AND runtime>10m

Rule 2 - search_type=adhoc AND runtime>1m

(I removed the extra conditions & simplified the query)

How to set workload management rules?

monitor

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases