In the splunk app for cef I can't seem to get more than 6* searches to run even though I have more scheduled.
If I check the job window I can see the 6 running. If I disable some in the gui others that were scheduled will kick off.
I thought this might be a user search quota issue but i've tried upping it real time searches to 32 and there isn't a difference.
Jobs are running under nobody according to the scheduler but as admin according to a "ps -ef" of the searches.
05-19-2016 14:51:09.433 +1000 INFO SavedSplunker - savedsearch_id="nobody;splunk_app_cef;CEF -
`splunk 4110 3742 5 16:35 ? 00:02:44 [splunkd pid=3741] search --id=rt_scheduler__admin_c3BsdW5rX2FwcF9jZWY__RMD526aa03c0ac6ad7fa_at_1463639711_3018 --maxbuckets=0 --ttl=120 --maxout=500000 --maxtime=0 --lookups=1 --reduce_freq=10 --rf=* --user=admin --pro --roles=admin:power:user
The search head i'm trying this on there isn't any other searches. It also has 32 cpus so its not a base search x max number of searches limit either.
The scheduler.log also support that the jobs aren't running until I stop others.
\* Note: I can persuade splunk into running a 7th search into running by clicking disabled/enabled in the savedsearches manager window but I can't get any more than that to run.
If I change all the searches to be windows ie. -2m@m to -1m@m run every minute then they will all run as scheduled (10 in total).
It really feels like im hitting some sort of limit but I can't figure out where.
Standalone splunk v6.4. 32 core.
↧