Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Saved search cause slow and not access in splunk

YUNHYEONG
Explorer
‎04-23-2019 06:27 PM

Hello, splunker.

I have about 50 savedsearch.

It's schedule is executed once every 30 minutes and my workstation have 4 core.

So I set it as follows.

[search]
base_max_searches = 24
max_searches_per_cpu = 4

[scheduler]
max_searches_perc = 200

however, my splunk so slow.

I can't access splunk and putty shell

why?

I am splunk novice.

please help me.

thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
Influencer
‎04-24-2019 03:00 PM

Those settings are way too high for your system.

Try these instead:
[search]
base_max_searches = 6
max_searches_per_cpu = 2

[scheduler]
max_searches_perc = 80

Also make sure that your scheduled searches are not running "all-time" queries, e.g.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

codebuilder
Influencer
‎04-24-2019 03:00 PM

Those settings are way too high for your system.

Try these instead:
[search]
base_max_searches = 6
max_searches_per_cpu = 2

[scheduler]
max_searches_perc = 80

Also make sure that your scheduled searches are not running "all-time" queries, e.g.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

YUNHYEONG
Explorer
‎04-26-2019 03:13 AM

ty your answer but, i will upgrade my server. it is 8 core. how do i set my server?

0 Karma
Reply
Solved! Jump to solution

codebuilder
Influencer
‎04-29-2019 07:30 AM

I would suggest testing the parameters I supplied. I think the most important change in your config is the max_searches_perc, which you previously had/have set to 200%. Try the suggested settings then evaluate how your system performs.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

YUNHYEONG
Explorer
‎04-29-2019 07:30 PM

thank you. It helped me a lot.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...