Splunk® Enterprise

Troubleshooting Manual

Download manual as PDF

Download topic as PDF

Too many search jobs

A real-time (all-time) scheduled search might spawn many search jobs in the search dispatch directory when alert throttling is not enabled. This might negatively affect search performance.

Symptom

Splunk Web displays a warning about too many search jobs in the dispatch directory.

Remedies

Make sure that alert throttling is configured for any real-time all-time scheduled searches. Configure throttling in Settings > Searches, reports, and alerts. See Throttle alerts in the Alerting Manual.

If alert throttling is configured and you still see this warning, make the alert expiration shorter than the default of 24 hours. For example, change "alert expiration time" from 24 hours to 1 hour (or less, if you need your alert triggered very frequently). See Additional alert configuration options in the Alerting Manual.

The Monitoring Console has a helpful view, Distributed search: Instance. The view provides details on search artifacts, including time to reap the dispatch directory.

PREVIOUS
I can't find my data!
  NEXT
Dashboard in app is not showing the expected results

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2, 8.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters