Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Warning on the search

aniello_cerrato
Path Finder
‎04-10-2018 02:58 AM

Hi,

I have the below error when I execute the query on Splunk, the problem is present only in Production env and not in dev environment.

Search on most recent data has completed. Expect slower search speeds as we search the reduced buckets.

Please help me on this.

Thanks,
Aniello

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 04:36 AM

Hi aniello_cerrato,
$SYSTEM$, $RELEASE_WIND$, $RELEASE_MODE$ and $ENV_DEPLOY$ are dashboard tokens, is it correct?
At first modify your search because best practices say that it's conevenient to have search parameters as left as you can.

index=devops source="DOO_DEPLOY_HST" STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ 
| dedup ID
| timechart span=1d count by STATUS

Then what's Time period you used?
In addition, $SYSTEM$, $RELEASE_MODE$ and $ENV_DEPLOY$ are full text searches or field searches?
If you use a not structured search on a large time period it's easy to have slow performaces.

Warning message says that you have events in many buckets, so search could be slow.
Did you used default parameter for ingestion or do you used special values?

Ciao.
Giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎04-10-2018 05:23 AM

Hi Giuseppe,

thanks for the reply. I use the same query also in test environment and I don't have this warning.

What you mean about the below point?

Did you used default parameter for ingestion or do you used special values?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 05:32 AM

This means that you can configure the number of buckets to archive logs.

I don't know why in test environment you haven't this message, have you many concurrent users?
do you have this message every time or sometimes: it doesn't seem an overload problem.

Bye.
giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎04-10-2018 05:37 AM

I have this problem always in production env, there is some condition on the index?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 07:32 AM

on index you can give access to a user role.
Have you the message only from a user or also running search by admin?
If you haven't message by admin problem is on role permissions.

Bye.
Giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎04-10-2018 03:49 AM

Hi Giuseppe,

I execute this query, the warning appears on the dashboard.

index=devops source="DOO_DEPLOY_HST" |dedup ID | search STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ | timechart span=1d count by STATUS

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 03:10 AM

Hi aniello_cerrato
could you share more information?
what's the error?
what kind of search you're using?

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...