Splunk Enterprise Security

Why is my server skipping a lot of accelerated searches?

Contributor

One of my servers is skipping a lot of accelerated searches, like 80% per each hour. I've got Splunk Enterprise Security (ES) on this server, as well as these additional accelerated searches, ~48 of them. These searches are the only ones being skipped, none of the ES searches are being skipped.

I was concerned that my accelerated searches weren't formed correctly, or if I didn't have enough hardware for the box (16 CPU/64GB). If that's the case, is there something on the server I can see that will show when all the cores might be in use and for how long?

My accelerated searches have a summary range of 1 year and w/ a time range between 24 days, 30 days, or 15 minutes and now, though none of the searches are scheduled. The searches do get run, and the accelerated reports show 99% complete or fully complete summary status. Any help you can provide would be appreciated.

Splunk Employee
Splunk Employee

@manderson7 - Did the answer provided by Splunker help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

Communicator

As long as your forwarding your indexes to the indexers, ensure your indexer hardware specs meet (preferably exceed) the spec defined in the ES docs.

The datamodel acceleration happens on the indexers, so check those. Sounds like your SH is ok.

http://docs.splunk.com/Documentation/ES/latest/Install/DeploymentPlanning#Indexer_scaling_considerat...

Cheers.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!