Splunk Search

How do I investigate delayed searched reported in Health status under Splunkd

SamHTexas
Builder

I keep getting delayed searches marked in red "Health Status - Splunkd". How do I investigate and fix this issue?

Labels (1)
Tags (1)
0 Karma

tscroggins
Builder

@SamHTexas 

The simplest method is the local monitoring console. Click Settings > Monitoring Console. In the app bar, click Search > Scheduler Activity: Instance. In the Historical Charts section of the dashboard, you can see various panels related to search scheduling.

If you find many deferred searches, you have three options:

1. Optimize scheduled searches.
2. Adjust limits. See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#Concurrency.
3. Add CPUs. (This is often Splunk's recommendation, but try optimization first.)

0 Karma

SamHTexas
Builder

Thank u. In the historical section.  I see "no results found" and 0 for total historical chart area ( at bottom left). No matter what I change in the time range or group by items, nothing happens. Please advise.

Tags (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!