Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I still getting "too many search jobs..." after running the clean dispatch command?

a212830
Champion
‎07-15-2015 04:25 AM

Hi,

I am getting the following:

 Search peer zdal134 has the following message: Too many search jobs found in the dispatch directory (found=3289, warning level=2000). This could negatively impact Splunk's performance, consider removing some of the old search jobs.

I've run the clean dispatch command, and it worked, and restarted the SH, but the message is still appearing. Is there something else that needs to be done?

0 Karma
Reply

tweaktubbie
Communicator
‎12-16-2015 02:22 AM

I used to have this issue on the search heads and have managed to bring retention back to 24 hours or less with around 5000 jobs.

But what happens as from today, I get the same issue but this time from the two search peers (=! not search heads, but both indexers), both give a warning >2000.

Thought the dispatch issue that many of us face (makes one think Splunk should improve this somehow...) was isolated to the place where searches were fired from (search heads), but it appears 'some' searches pass to the indexers that still have default settings. What jumps over to the indexers, and what searches do count/add up?

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-15-2015 05:35 AM

Just cleaning dispatch is not always enough. If your users share a lot of searches, you will have more folders in dispatch since the TTL for the shared searches is increased. You can run this command to see which ones are older than 5 days and delete them, if you so wish.

find $SPLUNK_HOME/var/run/splunk/dispatch -mtime +5 -type d -exec rm -rf {} \;

Alternatively, you can up the limit of the warning. In limits.conf place this setting:

[search]
dispatch_dir_warning_size = 3500

This will now only give a warning when you have more than 3500 folders in dispatch. Be cautious, this may negatively affect your environment depending on hardware specs.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...