Solved: Splunkweb performance help: "system is approaching...

abhayneilam · ‎07-16-2014

Hi,

When I am trying to open a splunkweb form the browser, it is becoming too too slow and not opening at all , I have checked from backend and found that splunkd and splunkweb is working . When I checked the log ( splunkd.log) I found the below string :

07-16-2014 16:40:35.083 +0200 WARN DispatchCommand - The system is approaching the maximum number of historical searches that can be run concurrently. current=57 maxum=68
07-16-2014 16:40:35.108 +0200 WARN DispatchCommand - The system is approaching the maximum number of historical searches that can be run concurrently. current=58 maxum=68
07-16-2014 16:40:35.134 +0200 WARN DispatchCommand - The system is approaching the maximum number of historical searches that can be run concurrently. current=59 maxum=68
07-16-2014 16:40:35.159 +0200 WARN DispatchCommand - The system is approaching the maximum number of historical searches that can be run concurrently. current=60 maxum=68
07-16-2014 16:40:35.183 +0200 WARN DispatchCommand - The system is approaching the maximum number of historical searches that can be run concurrently. current=61 maxum=68

07-16-2014 16:36:08.181 +0200 INFO PipelineComponent - HTTPAuthManager:timeoutCallback() took longer than seems reasonable (56944 milliseconds) in callbackRunnerThread. Might indicate hardware or

splunk limitations.
07-16-2014 16:36:08.230 +0200 WARN LMTracker - skipping directive, reason='found invalid directive cmd='D_set_active_group' args=[Enterprise,,] argsize=3'
07-16-2014 16:37:54.024 +0200 INFO PipelineComponent - HTTPAuthManager:timeoutCallback() took longer than seems reasonable (46968 milliseconds) in callbackRunnerThread. Might indicate hardware or

splunk limitations.
07-16-2014 16:37:55.076 +0200 WARN LMTracker - skipping directive, reason='found invalid directive cmd='D_set_active_group' args=[Enterprise,,] argsize=3'

I am using splunk 4.3.4 version as my search head. Please help me to fix this problem as a permanent work around .

yannK · ‎07-16-2014

4.3.* is end of life, start doing a backup and upgrade to 6.1.2

important points are :
- see your limits.conf if you tuned your number of searches per cpu : splunk 6 is using a 1 search = 1 core ratio with a better scheduling.
- see ulimit for "number of file descriptors" and "number of processes", the requirements increased.

View solution in original post

yannK · ‎07-16-2014

4.3.* is end of life, start doing a backup and upgrade to 6.1.2

important points are :
- see your limits.conf if you tuned your number of searches per cpu : splunk 6 is using a 1 search = 1 core ratio with a better scheduling.
- see ulimit for "number of file descriptors" and "number of processes", the requirements increased.

abhayneilam · ‎07-18-2014

Many thanks for your support Yannk !!

yannK · ‎07-16-2014

for the LM error, this is because of your license groups/pool, you may want clear them and recreate them.

Splunkweb performance help: "system is approaching maximum number of historical searches"

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?