Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Warning on the search

aniello_cerrato
Path Finder
‎04-10-2018 02:58 AM

Hi,

I have the below error when I execute the query on Splunk, the problem is present only in Production env and not in dev environment.

Search on most recent data has completed. Expect slower search speeds as we search the reduced buckets.

Please help me on this.

Thanks,
Aniello

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 04:36 AM

Hi aniello_cerrato,
$SYSTEM$, $RELEASE_WIND$, $RELEASE_MODE$ and $ENV_DEPLOY$ are dashboard tokens, is it correct?
At first modify your search because best practices say that it's conevenient to have search parameters as left as you can.

index=devops source="DOO_DEPLOY_HST" STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ 
| dedup ID
| timechart span=1d count by STATUS

Then what's Time period you used?
In addition, $SYSTEM$, $RELEASE_MODE$ and $ENV_DEPLOY$ are full text searches or field searches?
If you use a not structured search on a large time period it's easy to have slow performaces.

Warning message says that you have events in many buckets, so search could be slow.
Did you used default parameter for ingestion or do you used special values?

Ciao.
Giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎04-10-2018 05:23 AM

Hi Giuseppe,

thanks for the reply. I use the same query also in test environment and I don't have this warning.

What you mean about the below point?

Did you used default parameter for ingestion or do you used special values?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 05:32 AM

This means that you can configure the number of buckets to archive logs.

I don't know why in test environment you haven't this message, have you many concurrent users?
do you have this message every time or sometimes: it doesn't seem an overload problem.

Bye.
giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎04-10-2018 05:37 AM

I have this problem always in production env, there is some condition on the index?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 07:32 AM

on index you can give access to a user role.
Have you the message only from a user or also running search by admin?
If you haven't message by admin problem is on role permissions.

Bye.
Giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎04-10-2018 03:49 AM

Hi Giuseppe,

I execute this query, the warning appears on the dashboard.

index=devops source="DOO_DEPLOY_HST" |dedup ID | search STATUS="COMPLETED" $SYSTEM$ RELEASE_WIND=$RELEASE_WIND$ $RELEASE_MODE$ $ENV_DEPLOY$ | timechart span=1d count by STATUS

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-10-2018 03:10 AM

Hi aniello_cerrato
could you share more information?
what's the error?
what kind of search you're using?

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...