Splunk® Enterprise

Distributed Search

Download manual as PDF

Download topic as PDF

Handle slow search peers

A search normally continues to run until all search peers return the requested data. This can sometimes create a problem in deployments with very large numbers of search peers (100+). If one of the peers is much slower than the others in returning its portion of the data (for example, due to network issues), the searches can continue for abnormally long periods of time while awaiting the final results from that peer.

If such a situation arises and you want to trade data fidelity for search performance, you can direct the search head to end long-running searches without waiting for a slow peer to finish sending all its data. To do this, you enable the search head's [slow_peer_disconnect] stanza in limits.conf. By default, this capability is disabled. You can toggle the capability without restarting the search head.

The heuristics that determine when to disconnect a search from a slow peer are complex and tunable by means of several parameters in the [slow_peer_disconnect] stanza. If you feel the need to use this capability, contact Splunk Professional Services for guidance in adjusting the heuristics for your specific deployment needs.

General troubleshooting issues
Quarantine a search peer

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters