Monitoring Splunk

What does historical mode mean in the Scheduled Activity dashboard in DMC?

joshiro
Communicator

We are trying to troubleshoot some memory consumption issues with one of the SH cluster nodes.

We found that this instance shows high concurrency of scheduled reports 46/15 historical while the other nodes are way below this number.

joshiro_0-1673537846628.png

Also in the running historical scheduled reports panel we got a column Mode that shows "historical" as value.

joshiro_1-1673537963867.png


What does a "historical" report mean in this context?

The Splunk documentation for DMC doesnt explain it.
https://docs.splunk.com/Documentation/Splunk/9.0.3/DMC/Scheduleractivity

Regards.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

https://docs.splunk.com/Splexicon:Historicalsearch

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

https://docs.splunk.com/Splexicon:Historicalsearch

---
If this reply helps you, Karma would be appreciated.

joshiro
Communicator

Thanks for the reply. Very helpful, but i still cant clearly understand what the number 46 means.

Are the 46 concurrent historical searches that shows this panel scheduled and running at this moment?
Or are they currently scheduled to run at another time (not running)?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The left number (46) is highest number of searches running at any time in the past (not sure how far back it looks).  The right number (15) is the configured maximum number of concurrent searches.

---
If this reply helps you, Karma would be appreciated.

joshiro
Communicator

I guess we got something wrong with the SH cluster, it is not scheduling the searches evenly across the nodes.

joshiro_0-1673615420142.png

And the one with the highest count is not even the captain.

Thanks again for the reply, we ll open a support case and try to troubleshoot this issue.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...