Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk searches skipped after upgrading to 8.1.0

vagsec
New Member
‎11-30-2020 12:51 PM

Hi all,

I have upgraded our Splunk index cluster from 7.3.0 to 8.1.0 and since then I see the below red message on search head:

 

The percentage of non high priority searches skipped (50%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=20. Total skipped Searches=10

 

 

Do you have any ideas how could I recover from this?  And what is causing it? I took all the steps as described here https://docs.splunk.com/Documentation/Splunk/8.1.0/Installation/AboutupgradingREADTHISFIRST 

I have followed this problem as well, but no luck: https://community.splunk.com/t5/Installation/Rolling-upgrade-restart-scheduled-searches-skipped-erro...

 

Regards,

Evang

Regards,

Evang

0 Karma
Reply

SirDrake7
Explorer
‎12-22-2020 09:54 AM

@vagsec 

 

Did you ever get this resolved by chance?  I am having the same issue.

Thank you,

Tags (1)
0 Karma
Reply

vagnet
Explorer
‎01-05-2021 02:51 AM

Hi SirDrake7. I resolved it by increasing the maximum number of concurrent searches on the limits.conf file.

0 Karma
Reply

SirDrake7
Explorer
‎01-25-2021 02:42 PM

Thank you,

 

Would you be able to share the section you added?

 

I ended up going in to Settings: Server Settings:  Search Preferences:  and I increased the Relative concurrency limit for scheduled searches and summarization searches from 50% to 100%.  Based off what supported stated my searches should not require any change over 50% - not to mention I had doubled my CPU's and upped my RAM x4 lol.  So if there is a config file change that would be better than my fix.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...