Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I can't get fully results in distributed search.

yutaka1005
Builder
‎03-26-2019 10:18 PM

When I have searched in search head, following message was displayed.

error: Some events cannot be displayed because they cannot be fetched from the remote search peer(s). This is likely caused by the natural expiration of the related remote search jobs. To view the omitted events, run the search again.

Also, recently I feel search performance is slow.
Then I investigated cause of this problem, and found following log in each search peer.

  • WARN SearchResultWorkUnit - timed out, sending keepalive nConsecutiveKeepalive=27 currentSetStart=1548939053.000000
  • ERROR SearchResultWorkUnit - Error in transmit, writing to serialized transmit queue terminated.
  • Unable to fully write search results because of Broken pipe wrote 0 out of 2630 bytes

What can be considered as this cause other than "Insufficient value of ulimit on Indexer side" and "Network problem"?

Also, if there is a possibility that there is a network problem, will information for determining it be output to the internal log?

If anyone know about it, please tell me...

0 Karma
Reply

woodcock
Esteemed Legend
‎03-26-2019 11:15 PM

Run the Health Checks on your Monitoring Console, it will probably tell you that you have some combination of these 5 problems on your Indexers; fix ALL OF THEM:

1: THP is on
2: ulimits too low
3: Too few cores
4: Too little RAM
5: Too slow disk I/O
0 Karma
Reply

yutaka1005
Builder
‎03-28-2019 02:33 AM

I can't find problem with THP and ulimit.
Also cpu usage and memory usage is not too high.

The only point of concern is that the utilization of the partition where the hot and warm data of each Indexer are stored is close to 95%, so is this related?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...