All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SoS - no results returned for the "Distributed Searches Memory Usage" view

Sqig
Path Finder
‎03-19-2013 10:09 AM

Hi. We are trying the Splunk on Splunk app for the first time because one of our two environments is constantly being hammered.

We have search heads in a pool and we have 4 Indexers for distributed search.

Splunk version is 4.3.3. Latest S.o.S. is installed on the search heads and the SoS TA is installed on the indexers. On all servers, I have enabled the two scripted inputs.

When I pull up the 20 most memory intensive searches, I get No Data returned. The Job Inspector shows the following information, but I have no idea why all of these fields are missing. I'm hoping someone has some insight! Thanks.

DEBUG: Specified field(s) missing from results: '_time', 'search', 'search_head', 'user'
DEBUG: [splunk1-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk2-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk3-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk4-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [subsearch]: base lispy: [ AND index::_audit search splunk_server::splunk3-head-brn1 ]
DEBUG: base lispy: [ AND index::sos sourcetype::ps ]
DEBUG: search context: user="amurray", app="sos", bs-pathname="/app/splunk_mounted/etc"
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎03-19-2013 03:10 PM

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎03-19-2013 03:10 PM

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...