Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I solve for skipped searches?

uagraw01
Builder
‎12-05-2022 08:10 AM

Hello Splunkers !!

I have attached below two screenshot related to skip searches. As per the below graph many times we have high number of skip searches. When I validated those I seen that workload_pool are not assigned to many saved searched ( attached in second screenshot ).

My thought here :
Because If so many searches are triggering on the same time and there is no workload_pool setting assigned then it will impact in the search performance and increase the value of skip ratio.

Please let me know I am thinking on a right way ? If not please guide me or suggest me some good workarounds. I know there many blogs available on this. But please do share , if any specific suggestion on this.

uagraw01_0-1670256613772.png

Labels (1)
Labels
0 Karma
Reply

christhianb
New Member
‎12-28-2022 10:58 AM

Hey @uagraw01 

There are different ways to fix it but everything depends on the reason of the skipped search. 

You can run index=_internal sourcetype=scheduler status=skipped | stats values(reason) by savedsearch_name

That should help you out.

Once you identity the reason, make decisions. i.e disable unnecessary alerts, reduce the Time range picker, improve the SPL. This could be a fix for the most common reason " Max Concurrent searches have been reached..." 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 08:19 AM

Hi @uagraw01,

if you're using an on-premise installation, probably your hardware isn't sufficient to work all the scheduled searches you have.

Which reference hardware are you using? how many scheduled searches?

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Builder
‎12-05-2022 08:36 AM

@gcuselloIts Splunk Cloud, and there 40+ saved searches which are showing with no workload_pool

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 08:39 AM

Hi @uagraw01,

which kind of license are you using: indexed logs or SVC?

if SVC probably you are exceeding your license.

In this case ask to you Splunk partner.

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Builder
‎12-05-2022 08:49 AM

@gcuselloCan't we control with putting some new admission rule in workload management ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 10:46 AM

Hi @uagraw01,

you could reduce your scheduled searches,

Did you checked license and hardware?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...