Monitoring Splunk

Resource impact when extending search job lifetime

ahmadkhilfi
Engager

Hi,

I'm still new to Splunk and I understand that I can extend search or report lifecycle either using GUI or change the dispatch.ttl when scheduling a report. I want to know what will happen when I have hundreds of searches and reports with extended lifetime (7days or more), will there be any impact to the hardware resources when Splunk holds so much data for these reports and searches?

 

Labels (2)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The search results will be retained on the search head for 7+ days.  That means disk space will be consumed and not released until the search expires.  The role's disk quota also will be consumed, which may prevent future searches from running.

---
If this reply helps you, Karma would be appreciated.

ahmadkhilfi
Engager

That makes sense, so is there any query or any way to find out how many MBs these search results are consuming on disk?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is no direct REST endpoint to query for the current state of quota consumption.

You might be able to dig out something from the _introspection or _metrics indexes but I wouldn't count on too much granularity.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Probably you need to your own TA/scripted input to looking used disk space on $SPLUNK_HOME/var/splunk/dispatch directory?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...