Hello there,
On a Search Head Cluster (6.5.3), when performing an Health Check, I have had a warning for having a high skip ratio - between 60 & 80 %.
It seemed like it only affected the SHC captain.
I found out that, in order to reduce the load on the SHC captain - which is executing savedsearches, ad hoc searches and delegating savedsearches between other peers -, it was recommended to configure the captain to run ad hoc searches only.
It is documented here :
https://docs.splunk.com/Documentation/Splunk/7.0.0/DistSearch/Adhocclustermember#Configure_the_captain_to_run_ad_hoc_searches_only
This way, the captain only launches ad hoc searches & still delegates seavedsearches between cluster members.
I believed this would resolve our issue.
However, the skip ratio is now of 100%, still only on the captain.
It is always 100% which is weird.
To me it is more like an issue in the way internal log are being generated.
Logs are saying : this savedsearch has been skipped on this host which is the captain, reason : the max number of auto summarization has been reached ...
While it should rather be saying : this savedsearch has been skipped on this host which is the captain, reason : captain configured to run ad hoc searches only.
The thing that makes me doubt about this is the reason savedsearches are being skipped on the captain : "the max number of auto summarization has been reached"
So I am wondering if :
it is really a good practice & it's more like a logging issue
or
it is not a good practice
Note that there are no errors on the Data Models savedsearches are flagged as being skipped -> Build 100 %
Would anyone have an idea on this ?
Thanks for any feedback!
↧