Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Admin searches being queued, but not running.

djreschke
Communicator
‎11-06-2020 09:43 AM

Good afternoon everyone, 

I am the Splunk admin for our instance of Splunk, and yesterday later in the afternoon, I noticed that my searches were not running anymore, and that everything was being sent to the queue? In my troubleshooting efforts I signed into another searchhead, and ran a similar search with successful results. 

Today, I thought what could be causing the issue was, i have a lot of saved searches that run with my username as the owner, so reassigned those knowledge objects, which did not fix the issue. I can see other users running searches, with no issue, so it appears to be my account. 

Any advice of where to look next or has anyone experienced this issue before? 

I am running 7.2.8 for on my searchheads and using my account not the local admin account. 

 

Thank you.

0 Karma
Reply

djreschke
Communicator
‎12-18-2020 04:27 AM

Thanks Everyone for your feedback on this topic, I did have a few jobs that need purged, and I did perform a full restart, but it was a combination of the above comments/suggestions that help and have yet to experience the issue again. 

0 Karma
Reply

djreschke
Communicator
‎11-17-2020 04:09 AM

Good morning everyone, 

Sorry for the late update, but a full restart did not work and I checked the running jobs and I don't have any running, just 5 in queue, which they have been stopped. Checking internal logs this morning. 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-18-2020 08:30 AM
And how many finalised/failed etc. jobs you have there waiting for purge?
Reply

bobd32
Engager
‎11-06-2020 12:41 PM

Full restart! 

Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-06-2020 11:34 AM
Check if your quotas has full. You could open jobs and remove some old finalized jobs and if your new jobs starts after this you know the reason. You could also check the situation from internal logs on node.
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...