Hi cusello,

thanks for your reply. We know about the option to modify hardware & configs. But the issue would not be such a problem, when all searches would be queued. Then it would simply take longer to load the dashboard.
But we often see these canceled search, which finally means that the dashboard won't finalze. But I haven't found a pattern when it happens.

Hi HeinzWaescher,
Maybe some of your searches are timeouted.
if you open a search in the Search dashboard can you run it?
after result, see job inspector and see if meybe there is a timeout.
Bye.
Giuseppe

I can't click the "open in search" button for these searches. The job Inspector says "unknown sid"

open in search before they are timeouted.
Bye.
Giuseppe

The error appears instantly when the dashboard is opened and Splunk tries to run to many searches. So there is no time until a timeout so that I could crosscheck it.
(Or I just don't understand what you mean :))

take the search from your dashboard source and execute it in search (manually inserting eventual parameters) , to see if the problem is a timeout.
Bye.
Giuseppe

ah okay 🙂 that works fine, starting instantly and finalizing fast.

Try to rebuild your dashboard search by search and then putting inputs, maybe there's an error in parameters passing.
Bye.
Giuseppe

I think I got it.
I created two dashboards. The first included saved non-scheduled searches, the second includes the same searches as inline searches.

I opened both dashboards:
The first dashboard started calculating results for max limit of concurrent searches, the rest was cancelled.
In the second dashboard all inline searches were queued and finalized step by step, nothing was cancelled. So it depends how the search in implemented in the dashboard.