Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is my search skipping?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
index=_internal source=*metrics.log group=searchscheduler | timechart partial=false span=10m sum(dispatched) sum(skipped)
The above is the search i am using to find out number of skipped searches . But my question is , how to find the reasons why this search is skipping and how to stop them skipping like any configuration change?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run the MC Health Checks to verify your compliance to HW Standards. By far the most common reason to skip a search is that the previous run has not completed so you will enter an infinite loop if you continue to (try to) run it again and again. There are 2 main causes. If the search is too aggressive, try scaling back the earliest/latest and also the frequency of running it. Do anything you can to optimize the search. The other cause is overwhelmed indexing tier. The Health Check will tell you if your HW is not according to minimum requirements. It really should be obvious when you need more Indexers and the symptoms like you are seeing is a very common one, as well as slow ad-hoc seraches that sometimes cannot complete and timeout.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you search for scheduler logs, you can find a field reason explaining why the search was skipped.
index=_internal sourcetype=scheduler status=skipped
Rsolution depends on what the reason is. could be capacity or some user reaching his allocated max disk space, etc..,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run the MC Health Checks to verify your compliance to HW Standards. By far the most common reason to skip a search is that the previous run has not completed so you will enter an infinite loop if you continue to (try to) run it again and again. There are 2 main causes. If the search is too aggressive, try scaling back the earliest/latest and also the frequency of running it. Do anything you can to optimize the search. The other cause is overwhelmed indexing tier. The Health Check will tell you if your HW is not according to minimum requirements. It really should be obvious when you need more Indexers and the symptoms like you are seeing is a very common one, as well as slow ad-hoc seraches that sometimes cannot complete and timeout.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
