All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SoS - no results returned for the "Distributed Searches Memory Usage" view

Sqig
Path Finder
‎03-19-2013 10:09 AM

Hi. We are trying the Splunk on Splunk app for the first time because one of our two environments is constantly being hammered.

We have search heads in a pool and we have 4 Indexers for distributed search.

Splunk version is 4.3.3. Latest S.o.S. is installed on the search heads and the SoS TA is installed on the indexers. On all servers, I have enabled the two scripted inputs.

When I pull up the 20 most memory intensive searches, I get No Data returned. The Job Inspector shows the following information, but I have no idea why all of these fields are missing. I'm hoping someone has some insight! Thanks.

DEBUG: Specified field(s) missing from results: '_time', 'search', 'search_head', 'user'
DEBUG: [splunk1-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk2-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk3-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [splunk4-brn] search context: user="sqig", app="sos", bs-pathname="/app/splunk/var/run/searchpeers/splunk3-head-1363707911"
DEBUG: [subsearch]: base lispy: [ AND index::_audit search splunk_server::splunk3-head-brn1 ]
DEBUG: base lispy: [ AND index::sos sourcetype::ps ]
DEBUG: search context: user="amurray", app="sos", bs-pathname="/app/splunk_mounted/etc"
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎03-19-2013 03:10 PM

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎03-19-2013 03:10 PM

Thank you for reporting this issue. We are unhappy with the current implementation of this particular view and as a result, we are planning to retire it in the next version of S.o.S.
If you want to hunt for searches that use large amounts of memory, the best course of action at this time is to hit the "Splunk CPU/Memory Usage" view and to scope it to the search-heads.
We will rebuild a deployment-wide search memory usage view in the near future.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...