Solved: Re: Saved search cause slow and not access in splu...

YUNHYEONG · ‎04-23-2019

Hello, splunker.

I have about 50 savedsearch.

It's schedule is executed once every 30 minutes and my workstation have 4 core.

So I set it as follows.

[search]
base_max_searches = 24
max_searches_per_cpu = 4

[scheduler]
max_searches_perc = 200

however, my splunk so slow.

I can't access splunk and putty shell

why?

I am splunk novice.

please help me.

thank you.

codebuilder · ‎04-24-2019

Those settings are way too high for your system.

Try these instead:
[search]
base_max_searches = 6
max_searches_per_cpu = 2

[scheduler]
max_searches_perc = 80

Also make sure that your scheduled searches are not running "all-time" queries, e.g.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎04-24-2019

Those settings are way too high for your system.

Try these instead:
[search]
base_max_searches = 6
max_searches_per_cpu = 2

[scheduler]
max_searches_perc = 80

Also make sure that your scheduled searches are not running "all-time" queries, e.g.

----
An upvote would be appreciated and Accept Solution if it helps!

YUNHYEONG · ‎04-26-2019

ty your answer but, i will upgrade my server. it is 8 core. how do i set my server?

codebuilder · ‎04-29-2019

I would suggest testing the parameters I supplied. I think the most important change in your config is the max_searches_perc, which you previously had/have set to 200%. Try the suggested settings then evaluate how your system performs.

----
An upvote would be appreciated and Accept Solution if it helps!

YUNHYEONG · ‎04-29-2019

thank you. It helped me a lot.

Saved search cause slow and not access in splunk

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...