Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I solve for skipped searches?

uagraw01
Builder
‎12-05-2022 08:10 AM

Hello Splunkers !!

I have attached below two screenshot related to skip searches. As per the below graph many times we have high number of skip searches. When I validated those I seen that workload_pool are not assigned to many saved searched ( attached in second screenshot ).

My thought here :
Because If so many searches are triggering on the same time and there is no workload_pool setting assigned then it will impact in the search performance and increase the value of skip ratio.

Please let me know I am thinking on a right way ? If not please guide me or suggest me some good workarounds. I know there many blogs available on this. But please do share , if any specific suggestion on this.

uagraw01_0-1670256613772.png

Labels (1)
Labels
0 Karma
Reply

christhianb
New Member
‎12-28-2022 10:58 AM

Hey @uagraw01 

There are different ways to fix it but everything depends on the reason of the skipped search. 

You can run index=_internal sourcetype=scheduler status=skipped | stats values(reason) by savedsearch_name

That should help you out.

Once you identity the reason, make decisions. i.e disable unnecessary alerts, reduce the Time range picker, improve the SPL. This could be a fix for the most common reason " Max Concurrent searches have been reached..." 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 08:19 AM

Hi @uagraw01,

if you're using an on-premise installation, probably your hardware isn't sufficient to work all the scheduled searches you have.

Which reference hardware are you using? how many scheduled searches?

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Builder
‎12-05-2022 08:36 AM

@gcuselloIts Splunk Cloud, and there 40+ saved searches which are showing with no workload_pool

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 08:39 AM

Hi @uagraw01,

which kind of license are you using: indexed logs or SVC?

if SVC probably you are exceeding your license.

In this case ask to you Splunk partner.

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Builder
‎12-05-2022 08:49 AM

@gcuselloCan't we control with putting some new admission rule in workload management ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 10:46 AM

Hi @uagraw01,

you could reduce your scheduled searches,

Did you checked license and hardware?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...