Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my real time search job keeps getting killed?

robertlynch2020
Motivator
‎03-07-2019 08:38 AM

Hi

I have a real time search over the past 5 minutes, however it works for 30 seconds an then it dies.
any ideas?

I have this search at the top of my HOME page users log in and see data flowing into the system from there hosts.
alt text
alt text

Thanks in advance
Robert 🙂

Tags (1)
Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

robertlynch2020
Motivator
‎03-07-2019 02:44 PM

Hi

So in the end i found the issue.
At the top of my dashboard i had the following refresh="30". When the first refresh comes into play, it killed the real time search i was running. But not all of them, i was running 2, only one stopped.

1st was killed - index=mlc_live | stats count as Events by _time host | timechart span=5s count(Events) as Events by host.
I was running it into a column chart.

2nd did not die (not sure why) index=mlc_live and i am was pursing it out to Events visualization

So i am assuming this is note the way it is suppost to be, but removing the refresh makes it go away.

cheers to all for there suggestions

Rob

View solution in original post

Reply
Solved! Jump to solution
Solution

robertlynch2020
Motivator
‎03-07-2019 02:44 PM

Hi

So in the end i found the issue.
At the top of my dashboard i had the following refresh="30". When the first refresh comes into play, it killed the real time search i was running. But not all of them, i was running 2, only one stopped.

1st was killed - index=mlc_live | stats count as Events by _time host | timechart span=5s count(Events) as Events by host.
I was running it into a column chart.

2nd did not die (not sure why) index=mlc_live and i am was pursing it out to Events visualization

So i am assuming this is note the way it is suppost to be, but removing the refresh makes it go away.

cheers to all for there suggestions

Rob

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-07-2019 06:37 PM

WOW! That is brilliant. Thank you for sharing (this might come up for me later). Be ware that you can set refresh on each panel instead of globally at the top.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-07-2019 02:13 PM

Does it happen even if you leave the tab in the foreground?

These days browsers like Chrome aggressively throttle backgrounded tabs. This can cause the real-time search to think you have closed the window and it will auto-cancel the search. I was able to just replicate this with a lot of tabs open and backgrounding the tab for 30 seconds. There are workarounds you can do to Chrome to prevent this behaviour.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-07-2019 10:26 AM

When you figure out what is doing that, post back here and let us know. I would like to deploy whatever it is to every Splunk Search Head that I administer!!!!

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-07-2019 10:53 AM

I like your way of thinking.. It's a feature not a bug!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-07-2019 08:54 AM

Have you confirmed that your hardware can handle the realtime search? What does the internal logs say when it gets killed?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...