Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scheduler stop working

bckq
Path Finder
‎10-18-2013 02:31 AM

I have about 150-200 scheduled searches that runs every minute. Most of searches look for data from 15 minutes till now. I noticed, that sometimes scheduler is stop working. Once it is for 2 minutes, sometimes even for 15 oraz 30 minutes. I monitor number of entries to scheduler.log and you can see the result of my tests. This situation affect on my dashboards. When scheduler has stopped, when I refresh my dashboard I will see old data, from last search done. This is serious problem, because I use Splunk for monitoring. This line should be always solid and constant.

Number of entries to scheduler log per minute.
Number of entries to scheduler log per minute.

Another thing is why Splunk runs only ~100 searches per minute if I have 200 to do.

I am using Splunk 5.0.4. One search head and two indexers.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-18-2013 05:05 AM

There is a finite number of searches that splunk will run concurrently and it depends on the resources (more specifically the number of CPU cores) that your system has. While you may want the scheduler to run 200 searches per minute it may not have the capacity to do so due to insufficient number of cores (or long runtimes of each search). When that capacity is reached, by default the scheduler will skip starting/executing of the next instance of a search unless you change governing defaults in limits.conf. However, the change will not really help in actually completing said search - it will only start it and the search will run/complete when the operating system has enough resources to do so (ie. when the currently running searches release them).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bckq
Path Finder
‎10-18-2013 07:33 AM

IBM HS22 with 24 cores and 24GB RAM.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-18-2013 05:05 AM

There is a finite number of searches that splunk will run concurrently and it depends on the resources (more specifically the number of CPU cores) that your system has. While you may want the scheduler to run 200 searches per minute it may not have the capacity to do so due to insufficient number of cores (or long runtimes of each search). When that capacity is reached, by default the scheduler will skip starting/executing of the next instance of a search unless you change governing defaults in limits.conf. However, the change will not really help in actually completing said search - it will only start it and the search will run/complete when the operating system has enough resources to do so (ie. when the currently running searches release them).

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-18-2013 07:45 AM

I cannot say why without looking at the scheduler.log or splunkd.log but I would assume that maybe it is because the run duration of those searches is such that the scheduler cannot run new searches until some finish.

0 Karma
Reply
Solved! Jump to solution

bckq
Path Finder
‎10-18-2013 07:34 AM

I understand that I cannot run more searches in specified time, but why does the scheduler stop working for example 15-20 minutes and then start without reason again?

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-18-2013 04:16 AM

How much CPU/RAM does your Search Head / Indexers have?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...