Hi Folks;
Trying to develop some best practices with our new Splunk cluster, and would like some feedback from current admins. What would be the best way to manage system-wide concurrent searches? Lately I have been seeing messages pop up regarding hitting hte max limit of concurrent searches at 27.
I have inherited our Splunk cluster, so I am working towards maintaining so that we can ensure optimal performance and proper usage across our company. After doing some research, I have a few questions that I was hoping to find help with on the topic:
1. First, should any searches really be happening in the Search app? We have done our best to create apps for each of the indexes we have reporting in. Would there be any reason our users would be running a scheduled search against the Search app?
2. Should users be allowed to schedule searches, or should administrators maintain that? My curiosity is on how admins have ensured that users are scheduling searches at appropriate times and not, like in our case, scheduling a ton of searches to run at midnight
3. I have several searches in my cluster that are running for an hour or so, are at 100%, and the logs for each of the searches look like they have completed their tasks and are now just printing "10-03-2016 21:22:54.906 INFO DispatchThread - Generating results preview took 1 ms" .... I suspect that this isn't normal?
Thanks all, any help would be appreciated!
↧