Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to increase the maximum number of concurrent historical searches?

perlish
Communicator
‎07-31-2012 05:12 PM

Splunk warns that:

The system is approaching the maximum number of historical searches that can be run concurrently. current=55 maximum=68

...but the cpu and mem resouce of the system are free.

How to increase the maximum number of concurrent historical searches?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎07-31-2012 08:43 PM

If you want to fiddle with this limit, you'll have to set higher values than the default for base_max_searches or max_searches_per_cpu in $SPLUNK_HOME/etc/system/local/limits.conf. From limits.conf.spec:

[search]

base_max_searches = <int>
* A constant to add to the maximum number of searches, computed as a multiplier of the CPUs.
* Defaults to 4

max_searches_per_cpu = <int>
* The maximum number of concurrent historical searches per CPU. The system-wide limit of  historical searches is computed as: 
  max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
* Note: the maximum number of real-time searches is computed as: 
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Defaults to 4

Do note, however, that 55 concurrent searches is already a pretty high number. If CPU is not a bottleneck (it seems that you have 16 cores on this machine), it's quite possible that I/O throughput and IOPS on the device hosting the indexes will be.

View solution in original post

Reply
Solved! Jump to solution

Funderburg78
Path Finder
‎10-11-2019 10:26 AM

Note: Splunk 7.1.x utilizes the following Defaults:
base_max_searches = 6
max_searches_per_cpu = 1

0 Karma
Reply
Solved! Jump to solution

bhawkins1
Communicator
‎10-14-2016 03:17 AM

Semi-unrelated note: If splunk is complaining about "maxsearches" - this isn't the same as the error described above. Instead, see documentation for map.

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎07-31-2012 08:43 PM

If you want to fiddle with this limit, you'll have to set higher values than the default for base_max_searches or max_searches_per_cpu in $SPLUNK_HOME/etc/system/local/limits.conf. From limits.conf.spec:

[search]

base_max_searches = <int>
* A constant to add to the maximum number of searches, computed as a multiplier of the CPUs.
* Defaults to 4

max_searches_per_cpu = <int>
* The maximum number of concurrent historical searches per CPU. The system-wide limit of  historical searches is computed as: 
  max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
* Note: the maximum number of real-time searches is computed as: 
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Defaults to 4

Do note, however, that 55 concurrent searches is already a pretty high number. If CPU is not a bottleneck (it seems that you have 16 cores on this machine), it's quite possible that I/O throughput and IOPS on the device hosting the indexes will be.

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎01-14-2013 10:50 AM

Note that in Splunk 5, the default value of max_searches_per_cpu is changed to 1 (from 4). See http://splunk-base.splunk.com/answers/70679/why-are-the-default-values-of-max_searches_per_cpu-and-b... for more information.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...