Splunk Search

How to find all concurrent searches that are running at the same time?

kteng2024
Path Finder

Hi there,

Is there any way to find out the all scheduled searches which are scheduled to run at same time because it seems like all the scheduled searches are running at same time causing the kernel to kill splunkd by OOM killer because splunk is consuming too much of CPU to run all those searches .

0 Karma

woodcock
Esteemed Legend

You need to tune OOM Killer because Splunk need "all the stuff" routinely and that generally should not be a reason to kill it.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this search.. It will give you a visual representation of scheduled searches vs real-time searches

index=_internal sourcetype=splunkd source=*metrics.log group=search_concurrency "system total"
| timechart max(active_hist_searches) as "Historical Searches" min(active_realtime_searches) as "Real-time Searches" by host

0 Karma
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...