Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why realtime dashboard searches continue to run in the background after browser is closed?

Lucas_K
Motivator
‎07-31-2014 04:34 PM

I noticed that one particular power user was taking up almost all the realtime searches on 2 of our search heads. The twist is that this particular user didn't actually have ANY dashboards open. Yes they have dashboards with about 7 realtime searches on it but none of these had been openned in the last 10-12 hours at the time I approached them (first thing in the morning when they just turned their pc on).

Checking s.o.s again I could see that they had maxed out their roles quota of realtime searches (20 per search head for a power user).

It appeared that these searches were STILL running after the user has closed their browser. Checking their simple xml dashboard in question I found that they had a combination of saved searches (non-scheduled) and inline queries. Once again, they don't have ANY scheduled rt searches!

Aren't these sorts of searches supposed to be stopped after some amount of time after a user closes the browser? This users searches run until the search head is restarted. This is taking up valuable searches and is a waste of search head and indexing capacity.

So ... how can i tell which real time searches are actually orphans or
how can I get splunk to cull these searches that aren't going to a client?

Environment details: linux x64 splunk v6.0.3. Distributed search using search head pools & mounted bundles.

Reply
1 Solution
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎08-04-2014 04:16 PM

ok this is a bug and quite a serious one so not sure why no one else experienced it! It eventually causes your search heads & indexers to grind to a halt.

It is currently only fixed in 6.0.5. 6.1.x fix coming soon.
SPL-83708 - http://docs.splunk.com/Documentation/Splunk/6.0.5/ReleaseNotes/6.0.5

View solution in original post

Reply
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎08-04-2014 04:16 PM

ok this is a bug and quite a serious one so not sure why no one else experienced it! It eventually causes your search heads & indexers to grind to a halt.

It is currently only fixed in 6.0.5. 6.1.x fix coming soon.
SPL-83708 - http://docs.splunk.com/Documentation/Splunk/6.0.5/ReleaseNotes/6.0.5

Reply
Solved! Jump to solution

Lucas_K
Motivator
‎08-21-2014 04:24 PM

Confirmed that this is fixed in 6.0.5.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...