Splunk Search

How to change the frequency of search jobs scheduled to run from configuration files to prevent 100% CPU usage?

Javo222
Path Finder

I've messed my Splunk system up a bit and some jobs or searches (I don't remember) are continuously running (every minute I think). This causes my CPU to rise to 100% a few seconds after splunkd starts. Unfortunately, I don't have time to stop them or edit them from Splunk Web.

Are the jobs stored in any config file? I would like to edit them so I can change the frequency to 24h or so.

Right now I'm stuck and can't do anything.

0 Karma
1 Solution

sjohnson_splunk
Splunk Employee
Splunk Employee

Look for a file: savedsearches.conf inside of an app/local directory: (like etc/apps/search/local)

View solution in original post

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

Look for a file: savedsearches.conf inside of an app/local directory: (like etc/apps/search/local)

0 Karma

Javo222
Path Finder

Thanks! Found it under C:\Program Files\Splunk\etc\users\admin\search\local

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You can access all your saved searches in the Splunk web interface (The GUI).. Go to the top left where it says Activity then select Jobs and this will show all the searches that are running

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...