- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to set workload management rules?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to set 2 rules in my workload management pool -
search_type=adhoc AND runtime>1m -> Move search to alternate Pool: limited_perf
&
search_type=adhoc AND runtime>10m -> Abort search
The second condition is not getting picked & I still see many long running searches under the Expensive search dashboard. I thought it is a problem with the way these conditions are defined, so I tried changing it to -
search_type=adhoc AND (runtime>1m AND runtime<=10m) - But its throwing error
ERROR: Workload rule "move_longrunning_to_limited_pool" validation failed with error=invalid predicate format 'runtime<=10m'
Where am I going wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, So it did not work even with taking the = sign out.
I figured, the workload rules execute as per sequence. The order of the rules is important. Rules are evaluated in order from top to bottom. When I changed the sequence of both rules, it worked correctly -
Rule 1 - search_type=adhoc AND runtime>10m
Rule 2 - search_type=adhoc AND runtime>1m
(I removed the extra conditions & simplified the query)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Just checking, if you use just runtime<10m instead of runtime<=10, as below, you get the same invalid predicate format error?
search_type=adhoc AND (runtime>1m AND runtime<10m) Also, only the second rule that should abort the search is not working? The first one is working as expected?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, So it did not work even with taking the = sign out.
I figured, the workload rules execute as per sequence. The order of the rules is important. Rules are evaluated in order from top to bottom. When I changed the sequence of both rules, it worked correctly -
Rule 1 - search_type=adhoc AND runtime>10m
Rule 2 - search_type=adhoc AND runtime>1m
(I removed the extra conditions & simplified the query)
Archived Metrics Now Available for APAC and EMEA realms
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
