Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Skipped SavedSearches

RobertRi
Communicator
‎06-07-2018 03:24 AM

Hi!

I get sometimes messages that some savedsearches are skipped.

The only information what I get is an event in the _internal index

SavedSplunker - savedsearch_id="nobody;search;ACCELERATE_7CAC94EC-6F34-4F37-B192-9996EAE4C489_search_nobody_4467991e0c91c9ca_ACCELERATE"

How can I determine, which savedsearch cause this messages and how can I modify the schedule?

Thanks
Rob

Tags (1)
0 Karma
Reply

ddrillic
Ultra Champion
‎06-07-2018 07:44 AM

This skipped saved searches behavior is very painful. One thing you can do is to look at the scheduling of these saved searches and try to space them out. If 30 of them are scheduled at the top of the hour and nothing else in the next couple of minutes, go and distribute them evenly. It's interesting because it goes to the area of distributed administration - power users don't have a view into the over-all scheduling and naturally they would keep their alerts at clean intervals. We, the admins, need to go and separate them. The product should help us more in this regard and potentially offer the power users "open reliable" spots...

0 Karma
Reply

joebisesi
Path Finder
‎06-07-2018 07:23 AM

Does your Splunk environment have a DMC configured? If so under Search>Scheduler Activity>Instance there are some dashboards that have drill downs that should help you to track down the skipped searches.

With it having 'ACCELERATE' you could also look in Settings>Searches, Reports, and Alerts. Use 'Nobody' as the owner, and see if any of them are Accelerated.

The DMC route is the best and quickest, as near the bottom of the page there is a 'Count of Skipped Reports By Name and Reason' that should give you the details you need.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...