Dear all,
We're starting to suffer from our user where our clustered architecture is collapsing under the heavy load of searches that prevent our indexers to index. O_o
Using Splunk Enterprise 7.0.5 we don't have access to Workload Management feature starting in Splunk 7.2.x and even so, our Linux is not yet a 7.x with systemd so we won't be able to enforce it after upgrading Splunk yet.
Having more than 2000 users defined in almost 300 search head apps that let them define their dashboards, reports, alerts, schedule and accelerations, it's increasingly vital to pin point bad searchers.
Although the Monitoring Console provide some great dashboards, it's a heck to check resource usage per indexer and per search head to get the Big Picture.
In the answer, I'll share a Dashboard made by Splunk Professional Services I wish I had by default within the Monitoring Console.
It's sum the cumulative search time of each user by search type (Ad hoc or Scheduled) across all Search Heads and give you some context like full user name and roles. It even give you details of all searched run per selected user in a bottom panel !
If it helps me out, I'm sure it will help you out as well, feel free to share. Or maybe you have something even better to share ! \o/
↧