Splunk ES performance fundamentals (skipped searches)
When you have a busy Splunk environment with multiple apps, ES and custom correlation searches you need to make sure to optimize your configuration to best use your kit. Scheduling your searches and prioritizing them appropriately is usually step 1. When you create a correlation search its important to configure the following parameters: Cron Schedule You can randomize the run times yourself here 2,22,42 * * * * (for a 20m search) Scheduling Continuous is less intensive than Real-time Schedule Window auto is my preferred option here Schedule Priority Usually preferred option is Higher (which makes it fifth overall in the priority order which you can see here ) More detailed explanations as always in the manual here . Having taken into consideration the latter, leaves the searches that run in Splunk due to installed apps, be that ES, CIM acceleration or other apps you have installed in your search head. The scheduler is the source of very valuable informatio
