Hi @cusello,

I am having system with large resources and there are sufficient resources available for the new queries to run.

Also I confirmed that by opening dashboards and putting Indexer in Down state while monitoring CPU and Memory resources.

CPU utilization was below 50% and Memory still 2 to 3 GB was available during that period.

Hi jet1276,
What do you mean with large resources?
if you use at the same time two dashboard with 30 searches each one you have at the same time 60 searches! have you 60 CPUs on you Indexer?
I had a similar problem because one of my customers had around 10 users and each one used one or two dashboards with 12 real time searches, globally I had 87 contemporary real time searches!
I replaced them with scheduled reports and I grouped searches in each dashboard using Poste Process Searches, reducing load on my indexers.

Use DMC to monitor your situation when you have problems.
Anyway I suggest to open a Case to Splunk Support but they probably will say to you the same thing!

Bye.
Giuseppe

Hi @cusello,

I have 48 CPU server and its utilization max goes to 60%. And I have changed settings of "max_searches_per_cpu" in limits.conf to 2. So at least 96 realtime searches can run at a time.

So thats why I think I have enough resources.

And I do not have DMC at the moment but I will integrate it in some time and check the utilization again.

Please let me know if I need to do anything else.

Thanks.

you are wrong to assume that it will support 96 real time searches by just having that seeting

Open a case to Splunk Support: they will support you.
Bye.
Giuseppe

Thanks so much @cusello for your help.

Hello jet1276,

Has this issue been resolved? I'm having similar issue with 1 search and 1 indexer where the indexer goes down(8000 and 8089, but Splunk status show up) when large searches are performed and coming back up after a while. Both search head and indexer servrs are running 7.1.

Thanks.