Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I see the top skipped searches?

danielbb
Motivator
‎01-03-2020 09:16 AM

Is there a way to categorize the skipped searches by volume, by time of invocation, etc? We are trying to understand which searches are being skipped and why?

Tags (2)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎01-05-2020 07:25 PM

The monitoring console works well as per the above posts, alternatively in Alerts for Splunk Admins (SplunkBase), the simplified version of:
AllSplunkEnterpriseLevel - Splunk Scheduler skipped searches and the reason (github)

Is:

index=_internal sourcetype=scheduler status=skipped source=*scheduler.log  
| fillnull concurrency_category concurrency_context concurrency_limit
| stats count, earliest(_time) AS firstSeen, latest(_time) AS lastSeen by savedsearch_id, reason, app, concurrency_category, concurrency_context, concurrency_limit, search_type, user, host 
| eval firstSeen = strftime(firstSeen, "%+"), lastSeen=strftime(lastSeen, "%+")

Please hit accept on the most appropriate answer, although up voting is also appreciated 🙂

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2020 10:00 AM

The Monitoring Console (Settings->Monitoring Console->Search->Scheduler Activity) offers several breakdowns of skipped searches over time. You can click the magnifying glass icon in any of them to open the panel in Search so you can customize it as desired.

---
If this reply helps you, Karma would be appreciated.
Reply

danielbb
Motivator
‎01-03-2020 11:16 AM

Mostly it's about - The maximum number of concurrent running jobs for this historical scheduled search on this instance has been reached (2).

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2020 11:50 AM

If you don't find that in in the MC try this query.

index=_internal source=*scheduler.log "The maximum number of concurrent running jobs for this historical scheduled search" 
| timechart count by savedsearch_name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

aberkow
Builder
‎01-03-2020 09:51 AM

Hey - check out the answer I posted here - https://answers.splunk.com/answers/790088/splunk-searches-delayed.html#answer-790351, I leverage the Monitoring Console really heavily for their built in searches!

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...