Splunk Search

How to take the list of all auto-summarization searches from search head cluster?

Hemnaath
Motivator

Hi All, Can any one guide me in taking the list of all auto-summarization searches from the search head cluster. Actually we are getting this message """The maximum number of concurrent auto-summarization searches on this instance has been reached" it is occurring due to currently running summarization searches have not completed and the scheduler cannot start the next summarization search.
due to which we could see some of the scheduled searches are skipped without running, so we wanted to list out all auto-summarization searches from search head cluster and we may be able to remove some of that aren't needed before making a change that has the potential to greatly impact performance.

So kindly guide me how to get the list of all auto-summarization searches from the search head cluster.

Tags (2)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

First, review this page on how to troubleshoot search quotas - http://wiki.splunk.com/Community:TroubleshootingSearchQuotas

The remainder of this wording, down to the bar, is copied from that page...

First of all, check your search performance
The goal is to figure which users are running the most searches and if some of them are skipped.

A very nice dashboard exists in the Search app > status > scheduler activity > By user or app.

You can look also at the detail with this search over a day or an hour.

index=_internal source=*scheduler.log* | stats count by user, app , savedsearch_name, status

index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host

Note: The user "nobody" means that no particular user is owner of the search. This is often the case for a savedsearches.conf defined for an app. For the user "nobody" the default quotas will be applied.

Then get your settings by looking the configuration files, or use ./splunk cmd btool authorize list


You can also look at this one and get the searches from there to figure out the ones that are being skipped...

https://answers.splunk.com/answers/527895/why-is-there-a-high-skip-ratio-showing-in-schedule.html

0 Karma

Hemnaath
Motivator

Hi Dal Jeanis, thanks for your effort on this issue, I had executed the above query and found the list of users, host and saved search name from the query.

index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host,status

Based on the search result, I found skipped status are getting generated from two splunk instance node

1) Search head cluster master
2) Deployment server

User: Admin & nobody

But unable to get the exact saved search name from the list, I could see the below name under saved search column

_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_2472f801659441b4_ACCELERATE

ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_1a56f43bf8d5bf20_ACCELERATE

ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_search_nobody_365ca83246f2cca8_ACCELERATE

So kindly let me know how to get the saved search name and fix the issue.

Please guide me on this

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi All, Can anyone guide me on this issue please.

thanks in advance

0 Karma

Hemnaath
Motivator

Hi All, Can anyone guide me how to find out the exact saved search name from the below saved search names.

_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_2472f801659441b4_ACCELERATE

ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_1a56f43bf8d5bf20_ACCELERATE

ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_search_nobody_365ca83246f2cca8_ACCELERATE

As I need to fix the skipped searches issue, kindly guide me on this please.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi All, Can anyone guide me, on how to find the saved search name from the below saved search names.

_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_2472f801659441b4_ACCELERATE

ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_1a56f43bf8d5bf20_ACCELERATE

ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_search_nobody_365ca83246f2cca8_ACCELERATE

Kindly guide me on this please.
thanks in advance

0 Karma

Hemnaath
Motivator

Hi All, Can anyone guide me on how to list out all the auto-summarization searches in splunk from search head cluster.

thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...