Re: Splunk Indexers sending too much of data to se...

soumyasaha25 · ‎11-03-2020

my indexers are sending way too much of data to my search heads (close to 500 GBs in a day) which is having an impact on the bandwidth utilisation.

Although from initial investigation it seemed like some of the dashboards were running long running searches which i had killed manually, but that just helped partially, is there any other aspects that i need to look into.

richgalloway · ‎11-03-2020

Indexers should only be sending interim search results to search heads. Do you have any indication of what is in those 500GB?

Long-running searches shouldn't be much of an issue. One should look for searches that return a lot of data by using non-streaming commands too soon. For instance, table in place of fields.

---
If this reply helps you, Karma would be appreciated.

soumyasaha25 · ‎11-12-2020

Thanks @richgalloway, i could not find any issues with any search in particular (yes there were users with badly written searches but that should not impact so much) as a test i disabled the realtime metadata search that populates the search summary page (disabled it globally so that no apps have that search running) and looks like it solved the issue.

Splunk Indexers sending too much of data to search heads

administration

troubleshooting

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!