Skip to main content
Version: Atlas v4.2

Using Search Hub

Search Hub provides two major capabilities for managing search activity in Splunk:

  1. The Scheduled Searches page, where admins and creators can inspect all scheduled searches in the environment.
  2. The Search Governance Rules page, where governance rules are configured to automate review and remediation. Learn about setup on the Configuration page.

Implementing Search Governance

Unmanaged scheduled searches can degrade Splunk environments by consuming excessive resources. Search Hub enables Admins to enforce governance automatically, improving performance and visibility without adding manual effort. This section provides an outline for adoption while later sections break down page features.

Recommended adoption workflow:

  1. Turn on Search Hub Governance Automation.
  2. Create rules aligned to your environment. Start with high-impact searches (e.g., run_count > 10 or avg_runtime > 120).
  3. Run in passive mode (no auto-remediation) for several days.
  4. Review Warning searches. Adjust rules if needed.
  5. Run Bulk Auto Balance on searches with high skips or concurrency to spread them across time slots.
  6. Enable automated alerting and escalation, typically to 7 days.

Users will receive notifications when their searches fail compliance. Admins will have an audit trail to justify edits or disabling searches after escalation.

For environments with strict SVC consumption requirements, add SVC utilization rules and enable Auto Disable after 7 days. This ensures unresolved problem searches are automatically disabled.

Scheduled Searches Page

Search Hub can analyze Search Peers set up as Atlas Targets. Use the Target Server dropdown in the top right to select the appropriate environment.

The Scheduled Searches page offers multiple views to understand how scheduled searches are impacting Splunk:

Scheduler History

The Scheduler History time chart tracks scheduled search performance over time. Metrics include:

  • Searches Scheduled
  • Searches Pending
  • Searches Running
  • Searches Skipped
  • Environment Limit (visual reference line)

This visualization helps admins identify bottlenecks and skipped searches. If the number of scheduled or running searches exceeds the environment limit, risk increases for skipped searches, slowdowns, and higher resource consumption.

Rule Compliance Panel

If Search Governance Automation is enabled, a Rule Compliance KPI panel will display. It shows how many searches are breaking governance rules. Clicking a value filters the All Scheduled Searches table accordingly.

All Scheduled Searches Table

The All Scheduled Searches table displays all scheduled searches run during the selected time range. Use the toggle in the top right to include or exclude ignored searches.

Default columns include:

  • Compliance: Passing, Warning, or Escalated based on rule checks. If governance is not enabled, displays Enabled or Disabled.
  • Search Name: The report or search title.
  • Search Owner: User account that owns the search.
  • Avg Result Count: Average number of results.
  • Rule Violations: Flags any rules triggered (e.g., High Frequency, High Impact).
  • Violation Date: Timestamp of the last violation.
  • Actions: Drill down, run, or inspect search details.

Additional optional columns include:

  • Search App
  • Cron Schedule
  • Search Interval
  • Average and Total SVC Consumption (Cloud only)
  • Average and Total Runtime
  • Skip Rate (%) and Total Skip Count
  • Run Count

At the bottom of the dashboard, the Action Logs panel displays all audit actions associated with Search Hub. Selecting a search in the table filters the Action Logs to only that search.

Search Actions

The Actions column in the table contains tools to investigate or remediate searches:

  • Go To Search: Opens Splunk’s Searches and Reports view filtered to the selected search.
  • Run Search: Opens and runs the search in a new search window.
  • Inspect Search: Opens the Inspect Search Modal (see below).

Inspect Search Modal

The Inspect Search Modal allows deeper investigation and configuration changes. It includes three tabs:

  • Search Information: SPL and configuration details.
  • Improve Schedule: Test recommended schedule changes to reduce concurrency and skips. Notes can be added to changes.
  • Search Change History: Historical chart of runs, changes, and comments logged by Atlas.

Bulk Actions

By selecting one or more searches in the table, bulk actions are enabled. Buttons appear in the bottom left of the table:

  • Ignore Searches: Marks selected searches as ignored.
  • Disable Searches: Disables selected searches.
  • Auto Balance Searches: Opens the Auto Balance modal to bulk reschedule searches with Atlas automation.

Search Compliance States

Search Hub evaluates searches against governance rules, with statuses updated automatically:

  • Passing: Search meets compliance.
  • Warning: One or more rules triggered.
  • Escalated: Search has remained in violation for the configured escalation period.
  • Disabled: Search has been disabled.
  • Ignored: Search marked as ignored. Ignored searches are excluded from notifications and remediation.