Too many search jobs
A real-time (all-time) scheduled search will spawn many search jobs, populating the search dispatch directory, when there is no suppression (aka alert throttling). This can negatively effect search performance.
Splunk Web displays a yellow banner warning of too many search jobs in the dispatch directory.
First, check that for any real-time all-time scheduled searches, you've configured alert throttling. Configure throttling in Settings > Searches and Reports. Read more about throttling in Define per-result alerts in the Alerting Manual.
Already throttled alerts and still getting the warning? A second step you can take is to make alert expiration shorter than the default of 24 hours. If you can, change "alert expiration time" from 24 hours to 1 hour (or less, if you need your alert triggered very frequently). See Manage search jobs in the Search Manual.
The Splunk on Splunk App, version 3.0+, has a helpful view, Dispatch Directory Inspector. The view provides details on search artifacts, including breaking down the disk usage footprint. SoS 3.0.1 and onwards ships with an "as-is" troubleshooting script, dispatch_inspector.py, in
I can't find my data!
Dashboard in app is not showing the expected results
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14