Splunk Search

too many search jobs in the dispatch directory during e-learning course.

Explorer

Okay, so I'm just starting to learn splunk using the e-learning course. I've done the first two (using splunk, and searching and reporting) and I am about to start the first lab of the third (knowledge objects). But the web environment is giving me a warning about the fact that there are too many jobs. I see alot of options with linux commands or finding the folders, but I'm using a web based splunk on a mac. I'm still quite a novice so if anyone could help me I'd greatly appreciate it.

0 Karma

SplunkTrust
SplunkTrust

From your Splunk web UI, go to (on the top right menu) Activity -> Jobs, and delete all completed/done jobs. This will also cleanup your dispatch directory in the background. Please note that by default it will select jobs only on the current app context and your userid. Update the dropdowns on the page to delete all the jobs that you want.

Splunk Employee
Splunk Employee

great suggestion!

Jacob
Sr. Technical Support Engineer
0 Karma

Splunk Employee
Splunk Employee

Mac should be able to run the same commands any unix based OS. However, if you are more comfortable with using a file browser, you can manually remove dispatch folder from the dispatch directory. This folder is where the results of searches are stored until they are reaped based on the TTL of the search.

The dispatch folders can be found in the following directory: $SPLUNK_HOME/var/run/splunk/dispatch . You can either delete them all or just the older ones.

There are several well thought out responses to a similar question here: https://answers.splunk.com/answers/29551/too-many-search-jobs-found-in-the-dispatch-directory.html

Hope that helps!

Jacob
Sr. Technical Support Engineer
0 Karma

Explorer

The problem is that I have no splunk folder since I'm using the web-based virtual enviroment to use with the e-learning labs.. I am also not an admin there but a power user. I followed the labs but I also did some experimentation of my own which might have upped the search capacity. The other commenter said that I might just be out of luck since I can't really do anything as a non-admin, but if I can I'd love to hear it.

0 Karma

Splunk Employee
Splunk Employee

Oh I see, I thought you were running a local instance but you are connecting to an instance provided for the e-learning class. The options I suggested above would not work then. You could possibly disable any scheduled jobs and then allow the existing completed jobs to age out.

Browse to Settings -> Searches, reports, and alerts. Then in the top right corner for App Context" select "All" and for *Owner select "Any". Then look at the scheduled time column and if you see ones that are scheduled, disable them. You can then allow some time to pass and based on the searches TTL, they will delete on their own.

I am just not sure on those e-learning instances what options are available but hopefully that gives you one path to resolution.

Jacob
Sr. Technical Support Engineer
0 Karma

Champion

I apologize for my previous response. I misread your note, and didn't realize you were doing a purely virtual class.

In that case, I am not sure what you can do without help from an administrator.

0 Karma