Splunk Search

The system is approaching the maximum number of historical searches that can be run concurrently. current=7 maximum=8

jangid
Builder

I am not searching anything why above message display very frequently?
While I have deleted all saved search.

Tags (1)
1 Solution

Takajian
Builder

Some of real time search will be run whenever you view the top of the search App. And I guess some saved search still remains so that you wee the warning.

View solution in original post

dbroggy
Path Finder

more current answer is here:
https://answers.splunk.com/answers/607068/the-maximum-number-of-concurrent-historical-search.html
I beleive it simply comes down to how many searches you're running vs how many cpu's you have.
If you bother to change limits.conf just to remove the message it won't change the fact that you're limited by the number of cpus.

wagnerbianchi
Splunk Employee
Splunk Employee

This is ok now. the procedures to fix that are below...

$ sudo touch $SPLUNK_HOME/etc/system/local/limits.conf
$ sudo vim $SPLUNK_HOME/etc/system/local/limits.conf

[search]
base_max_searches=100
max_searches_per_cpu=10

$ sudo $SPLUNK_HOME/bin/splunk restart

Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.

Stopping splunk helpers...

Done.

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory...
Validated databases: _audit _blocksignature _internal _thefishbucket appmgmt blackberry history main msexchange perfmon sos sos_summary_daily summary summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes
Done
Success
Checking conf files for typos...
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done.
Starting splunkweb... Done.

If you get stuck, we're here to help.

Look for answers here: http://docs.splunk.com/Documentation/Splunk

The Splunk web interface is at http://myhost:8000

Cheers!

mbuehler_splunk
Splunk Employee
Splunk Employee

I downvoted this post because things

0 Karma

mbuehler_splunk
Splunk Employee
Splunk Employee

I downvoted this post because things

0 Karma

nmiller_splunk
Splunk Employee
Splunk Employee

I downvoted this post because this answer will quite likely bury the indexers and/or crash the search heads. simply put, it is technically incorrect.

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

I downvoted this post because this is very dated information, and no longer valid and may result in a seriously broken environment. please do not set settings this high without consultation.

0 Karma

ehorton_splunk
Splunk Employee
Splunk Employee

This is more than a little dated, and the way these configurations work has changed in 5 years.
Do NOT use these settings in limits.conf
The error message will go away, but plenty of new pain will result.

BrendanCO
Path Finder

Thank you, Sir! Worked like a charm. Now to make sure I don't overload my server with too many real-time alerts 🙂

0 Karma

demodav
Path Finder

Doesn't seem to work anymore.

0 Karma

mtime24
Path Finder

does this error affect anything or can it be easily ignored?

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

Is there any parameter to configure anywhere in Splunk in order to fix this problem or stop showing this message?

0 Karma

Takajian
Builder

Some of real time search will be run whenever you view the top of the search App. And I guess some saved search still remains so that you wee the warning.

jangid
Builder

Any Updates?

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...