Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are 50% of saved searches and scheduled searches showing as skipped on my Windows search heads?

brod_geico
Path Finder
‎12-18-2014 12:37 PM

On my windows search heads some of the searches showing skipped status. Some of them are running and some of them are not.
status=skipped, scheduled_time=1418934000.

i have checked below things.
disk quota limit.
alerts conf files
dispatcher

DispatchManager - The system is approaching the maximum number of historical searches that can be run concurrently. current=12 maximum=14
12-18-2014 14:36:04.542 -0500 WARN DispatchManager - The system is approaching the maximum number of historical searches that can be run concurrently. current=12 maximum=14
12-18-2014 14:36:11.979 -0500 WARN DispatchManager - The system is approaching the maximum number of historical searches that can be run concurrently. current=12 maximum=14
12-18-2014 14:36:19.401 -0500 WARN DispatchManager - The system is approaching the maximum number of historical searches that can be run concurrently. current=12 maximum=14

The system is approaching the maximum number of historical searches

0 Karma
Reply

jayannah
Builder
‎12-23-2014 04:39 PM

That's because adhoc searches are having higher priority over scheduled searches.

How many CPU core in the search head and indexers in your configuration?

You may have increase number of search heads or CPU core since it looks high number of searches are running concurrently.

0 Karma
Reply

brod_geico
Path Finder
‎12-18-2014 01:23 PM

Thanks for your help i have checked that already. im running with spluk 6.1 verison

0 Karma
Reply

somesoni2
Revered Legend
‎12-18-2014 01:22 PM

I guess you're running more searches then your role allows you to run con-currently. Check this link to see how the quota is calculated.

http://wiki.splunk.com/Community:TroubleshootingSearchQuotas

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...