Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What parameter can I modify in limits.conf to solve delayed searches?

Valen1
Engager
‎06-30-2022 09:16 AM

What parameter can i modify in limits.conf to solve that?

  • The percentage of non high priority searches delayed (80%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=13378. Total delayed Searches=10799
Labels (1)
Labels
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-01-2022 02:14 AM

You can't just tweak limits.conf to make your schedules work efficiently.

This symptom usually means that you either have too many scheduled searches (reports, alerts, corellation searches) defined altogether or - more probably - you have them squished into the same "schedule spots" as @kkrises suggested. For example - you're trying to run all your searches at 5 minutes past the hour. It's the typical case and you should spread the execution times more evenly throughout the hour, day, or however often your searches run.

In some cases you could try to run more searches at once but that's more tricky and requires more troubleshooting and diagnostics.

Reply

kkrises
Path Finder
‎07-01-2022 01:02 AM

@Valen1 - For delayed searches case, I did the below to fix it.

- Monitoring Console in your Search head would help us to determine why searches are delayed. Inside monitoring console, go to Search> Scheduler Activity: Instance. Look for Skip ratio under Runtime statistics dashlet. 

- Identified searches trying to run at the same time.  Reschedule by tweaking the cron schedules of them and skip ratio is reduced.

- Identify searches not completing before the next scheduled run-time, run them in Search app and find the average time taken to complete it. For larger indexes or datamodels especially for network, try to minimize the earliest time range to 1 hour or use summary indexes. 

Hope this helps and an upvote is appreciated. Thank you.

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-30-2022 09:46 AM

@Valen1 - It's not under limits.conf, instead you can find it under "Set feature indicator threshold" under Health Check of Monitoring Console.

Refer - https://docs.splunk.com/Documentation/Splunk/9.0.0/DMC/Configurefeaturemonitoring

 

Though I would say this usually indicates, slow Search Head or Indexers in performing searches.

 

I hope this helps!!!

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...