Splunk Search

Search Summary Page Automatically Runs Real-Time Searches?

I_am_Jeff
Communicator

I'm tracking down users that abuse real-time searches, as I've been seeing this gold warning bar a lot lately.

Metadata results may be incomplete: 100000 entries have been received from all peers (see parameter maxcount under the [metadata] stanza in limits.conf), and this search will not return metadata information for any more entries. (sid=rt_1380116912.11287.searchhead01)

I was surprised that I had three running! I tracked it down to the Search Summary page. I'm assuming the searches update Events Indexed, Earliest Event, and Latest Event. The Jobs page shows one of the searches is:

| metadata type=sourcetypes | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" [real-time]

The jobs page shows the three are Running (100%), they quickly use 30 MB (and keep climbing, but more slowly), the expiration time always seems to always be 10 minutes in the future.

I'd like to make take the real-time out of the search to make it play nice. Is there a way to do this? I've been parked at the summary page for 40 minutes and the searches now use 50 MB. I have pooled search heads and assume this is consuming space in my pool area. My users also get worried when they see the warning messages.

I've seen this for version 4 HALP! Consulting the summary dashboard of the search app causes my system to run out of memory! I'm using version 5.0.4, build 172409.

Tags (2)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

I'd recommend simply making the landing page of the search app into the "flashtimeline" view instead. This is where most people are headed when they're going into the search app anyway.

This can be done by first visiting the search app, then going into the Manager -> User Interface -> Navigation, and moving the default="true" marker from dashboard_live to flashtimeline.

If you need to change these searches on the summary page, you'd edit the view, removing the "earliest=rt" and "latest=rt" markers. I can provide more specific guidance if that's really what you're after.

View solution in original post

sherm77
Path Finder

There's another answer concerning those that are on 6.2.x now, you can turn off the metadata search that automatically runs...

http://answers.splunk.com/answers/141179/how-to-remove-automatic-real-time-searches-that-run-when-us...

I turned off just the search that displays how many events, earliest & latest events. I retained the Data Summary button, since some users use it to see what hosts are out there, etc. That search does not kick off until they press the button, but it does run until they close the dialog box.

In the link above, you will see that you need to put this in the ./etc/system/local/ui-prefs.conf:

display.prefs.enableMetaData=0 #This shows how many events (in real-time), earliest & latest times

display.prefs.showDataSummary=0 #This shows the Data Summary button where you can see hosts, source & sourcetypes (in real-time)

It works for me in 6.2.0.

BTW, I also changed the timepicker default, it was All-Time (not my preference at all), so I changed it to -15m. It works like a charm.

My ui-prefs.conf looks like this now:

[search]
dispatch.earliest_time = -15m
dispatch.latest_time = now

[default]
dispatch.earliest_time = -15m
dispatch.latest_time = now

display.prefs.enableMetaData=0

sowings
Splunk Employee
Splunk Employee

I'd recommend simply making the landing page of the search app into the "flashtimeline" view instead. This is where most people are headed when they're going into the search app anyway.

This can be done by first visiting the search app, then going into the Manager -> User Interface -> Navigation, and moving the default="true" marker from dashboard_live to flashtimeline.

If you need to change these searches on the summary page, you'd edit the view, removing the "earliest=rt" and "latest=rt" markers. I can provide more specific guidance if that's really what you're after.

sowings
Splunk Employee
Splunk Employee

This old answer no longer applies. Please use the ui-prefs.conf changes described below.

0 Karma

I_am_Jeff
Communicator

Manager -> User Interface -> Navigation Menus. Modified and saved the XML as you described. As expected, my pooled search heads all changed at once.

Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There have been changes over the years and this solution does not work with 7.2.x (possibly much earlier).
What worked for me is to change $SPLUNK_HOME/etc/system/local/ui-prefs.conf similar to @sherm77's answer.

[search]
display.prefs.enableMetaData = 0
display.prefs.showDataSummary = 0
---
If this reply helps you, Karma would be appreciated.

jawaharas
Motivator

Spot on. Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...