Splunk Search

Warning on the search

aniello_cerrato
Path Finder

Hi,

I have the below error when I execute the query on Splunk, the problem is present only in Production env and not in dev environment.

Search on most recent data has completed. Expect slower search speeds as we search the reduced buckets.

Please help me on this.

Thanks,
Aniello

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi aniello_cerrato,
$SYSTEM$, $RELEASE_WIND$, $RELEASE_MODE$ and $ENV_DEPLOY$ are dashboard tokens, is it correct?
At first modify your search because best practices say that it's conevenient to have search parameters as left as you can.

index=devops source="DOO_DEPLOY_HST" STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ 
| dedup ID
| timechart span=1d count by STATUS

Then what's Time period you used?
In addition, $SYSTEM$, $RELEASE_MODE$ and $ENV_DEPLOY$ are full text searches or field searches?
If you use a not structured search on a large time period it's easy to have slow performaces.

Warning message says that you have events in many buckets, so search could be slow.
Did you used default parameter for ingestion or do you used special values?

Ciao.
Giuseppe

0 Karma

aniello_cerrato
Path Finder

Hi Giuseppe,

thanks for the reply. I use the same query also in test environment and I don't have this warning.

What you mean about the below point?

Did you used default parameter for ingestion or do you used special values?

0 Karma

gcusello
SplunkTrust
SplunkTrust

This means that you can configure the number of buckets to archive logs.

I don't know why in test environment you haven't this message, have you many concurrent users?
do you have this message every time or sometimes: it doesn't seem an overload problem.

Bye.
giuseppe

0 Karma

aniello_cerrato
Path Finder

I have this problem always in production env, there is some condition on the index?

0 Karma

gcusello
SplunkTrust
SplunkTrust

on index you can give access to a user role.
Have you the message only from a user or also running search by admin?
If you haven't message by admin problem is on role permissions.

Bye.
Giuseppe

0 Karma

aniello_cerrato
Path Finder

Hi Giuseppe,

I execute this query, the warning appears on the dashboard.

index=devops source="DOO_DEPLOY_HST" |dedup ID | search STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ | timechart span=1d count by STATUS

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi aniello_cerrato
could you share more information?
what's the error?
what kind of search you're using?

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...