Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my search skipping?

kteng2024
Path Finder
‎02-28-2017 02:08 PM

Hi, 

index=_internal source=*metrics.log group=searchscheduler | timechart partial=false span=10m sum(dispatched) sum(skipped)

The above is the search i am using to find out number of skipped searches . But my question is , how to find the reasons why this search is skipping and how to stop them skipping like any configuration change?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-28-2017 02:16 PM

Run the MC Health Checks to verify your compliance to HW Standards. By far the most common reason to skip a search is that the previous run has not completed so you will enter an infinite loop if you continue to (try to) run it again and again. There are 2 main causes. If the search is too aggressive, try scaling back the earliest/latest and also the frequency of running it. Do anything you can to optimize the search. The other cause is overwhelmed indexing tier. The Health Check will tell you if your HW is not according to minimum requirements. It really should be obvious when you need more Indexers and the symptoms like you are seeing is a very common one, as well as slow ad-hoc seraches that sometimes cannot complete and timeout.

View solution in original post

Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎02-28-2017 02:22 PM

If you search for scheduler logs, you can find a field reason explaining why the search was skipped. 

index=_internal sourcetype=scheduler status=skipped

Rsolution depends on what the reason is. could be capacity or some user reaching his allocated max disk space, etc..,

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-28-2017 02:16 PM

Run the MC Health Checks to verify your compliance to HW Standards. By far the most common reason to skip a search is that the previous run has not completed so you will enter an infinite loop if you continue to (try to) run it again and again. There are 2 main causes. If the search is too aggressive, try scaling back the earliest/latest and also the frequency of running it. Do anything you can to optimize the search. The other cause is overwhelmed indexing tier. The Health Check will tell you if your HW is not according to minimum requirements. It really should be obvious when you need more Indexers and the symptoms like you are seeing is a very common one, as well as slow ad-hoc seraches that sometimes cannot complete and timeout.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...