Solved: Saved search cause slow and not access in splunk

YUNHYEONG · ‎04-23-2019

Hello, splunker.

I have about 50 savedsearch.

It's schedule is executed once every 30 minutes and my workstation have 4 core.

So I set it as follows.

[search]
base_max_searches = 24
max_searches_per_cpu = 4

[scheduler]
max_searches_perc = 200

however, my splunk so slow.

I can't access splunk and putty shell

why?

I am splunk novice.

please help me.

thank you.

codebuilder · ‎04-24-2019

Those settings are way too high for your system.

Try these instead:
[search]
base_max_searches = 6
max_searches_per_cpu = 2

[scheduler]
max_searches_perc = 80

Also make sure that your scheduled searches are not running "all-time" queries, e.g.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎04-24-2019

Those settings are way too high for your system.

Try these instead:
[search]
base_max_searches = 6
max_searches_per_cpu = 2

[scheduler]
max_searches_perc = 80

Also make sure that your scheduled searches are not running "all-time" queries, e.g.

----
An upvote would be appreciated and Accept Solution if it helps!

YUNHYEONG · ‎04-26-2019

ty your answer but, i will upgrade my server. it is 8 core. how do i set my server?

codebuilder · ‎04-29-2019

I would suggest testing the parameters I supplied. I think the most important change in your config is the max_searches_perc, which you previously had/have set to 200%. Try the suggested settings then evaluate how your system performs.

----
An upvote would be appreciated and Accept Solution if it helps!

YUNHYEONG · ‎04-29-2019

thank you. It helped me a lot.

Saved search cause slow and not access in splunk

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!