I have three indexers. All configured the same all with the same hardware (16 cores 32 GB ram).
I have a simple search for internal data
` index=_internal host=My-License-Manager source=*license_usage.log type="RolloverSummary" earliest=-30d@d`
This search runs in just over 5 seconds on indexer #1 and times out on indexer #2 and #3
If I change the time to `earliest=-35d@d latest=-4d@d` indexer #2 returns in 5 seconds but only #3 times out.
If I change the time to `earliest=-29d@d latest=-4d@d` all three indexers return results in just over 5 seconds.
One day later or one day earlier will cause indexer #2 or #3 to time out.
how do I start to troubleshoot what is causing this. I am sure this can't be isolated to this one data set and has to be affecting other data sets as well.
I opened a Case `Number 387826 Date/Time Opened 8/23/2016 7:31 AM` with splunk support but no response yet
↧