Splunk Enterprise

Splunk searches skipped after upgrading to 8.1.0

vagsec
New Member

Hi all,

I have upgraded our Splunk index cluster from 7.3.0 to 8.1.0 and since then I see the below red message on search head:

 

The percentage of non high priority searches skipped (50%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=20. Total skipped Searches=10

 

 

Do you have any ideas how could I recover from this?  And what is causing it? I took all the steps as described here https://docs.splunk.com/Documentation/Splunk/8.1.0/Installation/AboutupgradingREADTHISFIRST 

I have followed this problem as well, but no luck: https://community.splunk.com/t5/Installation/Rolling-upgrade-restart-scheduled-searches-skipped-erro...

 

Regards,

Evang

Regards,

Evang

0 Karma

SirDrake7
Explorer

@vagsec 

 

Did you ever get this resolved by chance?  I am having the same issue.

Thank you,

Tags (1)
0 Karma

vagnet
Explorer

Hi SirDrake7. I resolved it by increasing the maximum number of concurrent searches on the limits.conf file.

0 Karma

SirDrake7
Explorer

Thank you,

 

Would you be able to share the section you added?

 

I ended up going in to Settings: Server Settings:  Search Preferences:  and I increased the Relative concurrency limit for scheduled searches and summarization searches from 50% to 100%.  Based off what supported stated my searches should not require any change over 50% - not to mention I had doubled my CPU's and upped my RAM x4 lol.  So if there is a config file change that would be better than my fix.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...