Splunk Search

Search Summary Page Automatically Runs Real-Time Searches?

Communicator

I'm tracking down users that abuse real-time searches, as I've been seeing this gold warning bar a lot lately.

Metadata results may be incomplete: 100000 entries have been received from all peers (see parameter maxcount under the [metadata] stanza in limits.conf), and this search will not return metadata information for any more entries. (sid=rt_1380116912.11287.searchhead01)

I was surprised that I had three running! I tracked it down to the Search Summary page. I'm assuming the searches update Events Indexed, Earliest Event, and Latest Event. The Jobs page shows one of the searches is:

| metadata type=sourcetypes | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" [real-time]

The jobs page shows the three are Running (100%), they quickly use 30 MB (and keep climbing, but more slowly), the expiration time always seems to always be 10 minutes in the future.

I'd like to make take the real-time out of the search to make it play nice. Is there a way to do this? I've been parked at the summary page for 40 minutes and the searches now use 50 MB. I have pooled search heads and assume this is consuming space in my pool area. My users also get worried when they see the warning messages.

I've seen this for version 4 HALP! Consulting the summary dashboard of the search app causes my system to run out of memory! I'm using version 5.0.4, build 172409.

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

I'd recommend simply making the landing page of the search app into the "flashtimeline" view instead. This is where most people are headed when they're going into the search app anyway.

This can be done by first visiting the search app, then going into the Manager -> User Interface -> Navigation, and moving the default="true" marker from dashboard_live to flashtimeline.

If you need to change these searches on the summary page, you'd edit the view, removing the "earliest=rt" and "latest=rt" markers. I can provide more specific guidance if that's really what you're after.

View solution in original post

Path Finder

There's another answer concerning those that are on 6.2.x now, you can turn off the metadata search that automatically runs...

http://answers.splunk.com/answers/141179/how-to-remove-automatic-real-time-searches-that-run-when-us...

I turned off just the search that displays how many events, earliest & latest events. I retained the Data Summary button, since some users use it to see what hosts are out there, etc. That search does not kick off until they press the button, but it does run until they close the dialog box.

In the link above, you will see that you need to put this in the ./etc/system/local/ui-prefs.conf:

display.prefs.enableMetaData=0 #This shows how many events (in real-time), earliest & latest times

display.prefs.showDataSummary=0 #This shows the Data Summary button where you can see hosts, source & sourcetypes (in real-time)

It works for me in 6.2.0.

BTW, I also changed the timepicker default, it was All-Time (not my preference at all), so I changed it to -15m. It works like a charm.

My ui-prefs.conf looks like this now:

[search]
dispatch.earliest_time = -15m
dispatch.latest_time = now

[default]
dispatch.earliest_time = -15m
dispatch.latest_time = now

display.prefs.enableMetaData=0

Splunk Employee
Splunk Employee

I'd recommend simply making the landing page of the search app into the "flashtimeline" view instead. This is where most people are headed when they're going into the search app anyway.

This can be done by first visiting the search app, then going into the Manager -> User Interface -> Navigation, and moving the default="true" marker from dashboard_live to flashtimeline.

If you need to change these searches on the summary page, you'd edit the view, removing the "earliest=rt" and "latest=rt" markers. I can provide more specific guidance if that's really what you're after.

View solution in original post

Splunk Employee
Splunk Employee

This old answer no longer applies. Please use the ui-prefs.conf changes described below.

0 Karma

Communicator

Manager -> User Interface -> Navigation Menus. Modified and saved the XML as you described. As expected, my pooled search heads all changed at once.

Thanks!

0 Karma

SplunkTrust
SplunkTrust

There have been changes over the years and this solution does not work with 7.2.x (possibly much earlier).
What worked for me is to change $SPLUNK_HOME/etc/system/local/ui-prefs.conf similar to @sherm77's answer.

[search]
display.prefs.enableMetaData = 0
display.prefs.showDataSummary = 0
---
If this reply helps you, an upvote would be appreciated.

Motivator

Spot on. Thanks.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!