Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do scheduled searches work?

perfecto25
Path Finder
‎06-27-2018 06:18 AM

General question about how scheduling searching behaves,

we have a 3 node SH cluster and couple of indexers, and the SH cluster has 5-10 custom inhouse apps that do a ton of searches, very heavy on mem usage

we are seeing lots of "out of memory" errors on some of the SH nodes and some of the indexers, and the only thing that I can think of that can be eating up this much memory is our searches

When a SH starts a scheduled search, does it impact Indexer's performance in any way or is all the memory usage only on the Search Head itself? How does the indexer and SH break down the search during runtime?

I'm thinking of adding search limits (in terms of how much memory each search can use) using limits.conf on each search head.

Thanks

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 11:13 AM

Get all the RAM that you can for your Search Heads, then for your Indexers. Max them out. The cost is low and the benefit is tremendous. Also, upgrade to 7.1.2 the day that it comes out. There are MAJOR memory leaks in all 7.* versions, but ESPECIALLY 7.1.*.

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎06-27-2018 08:17 AM

When talking about "out of memory" errors, it would be good to tell us what version of splunk you are on. There have been memory leak issues in the 7.X versions, so if you're on one of those advanced versions, it's not necessarily your searches that are the issue.

Please join the splunk slack channel, and chat in the #general sub-channel in order to do a quick triage on your issue, and we'll go from there.

0 Karma
Reply

perfecto25
Path Finder
‎06-27-2018 08:41 AM

thanks for the heads up, I applied to join the slack channel

is there a document that details these issues? Dont see anything about mem leaks in 7.1 release notes/known issues

0 Karma
Reply

perfecto25
Path Finder
‎06-27-2018 08:32 AM

our SH cluster is running 7.1.1

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎06-27-2018 07:01 AM

Hi @perfecto25,

Regardless of whether the search is a scheduled search or on demand search, indexers are involved since your data is stored in indexers. Your search is sent to the indexers and look for data based on your search criteria and pulls results. The retrieved data is further processed based on the subsequent search commands.

Have a look at this .conf presentation to have a better understanding How search works

Also since your environment is clustered, please refer to How search works in an indexer cluster

Also The anatomy of a search will give you more information

Happy Splunking!
Reply

perfecto25
Path Finder
‎06-27-2018 07:13 AM

Thank you! Will read through this.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...