Skip to main content
Version: Atlas v4.3

Using Search Hub

Search Hub provides two core capabilities for managing search activity in Splunk:

  1. The Scheduled Searches page, where admins and creators can review all scheduled searches in an environment.
  2. The Search Governance Rules page, where governance policies are configured to automate review and remediation. Learn more about setup on the Configuration page.

Implementing Search Governance

Unmanaged scheduled searches can consume excessive resources and impact Splunk performance. Search Hub enables admins to enforce search governance automatically, improving visibility and stability without additional manual oversight.

This section outlines a recommended adoption workflow. Later sections detail each page feature.

Recommended adoption workflow:

  1. Turn on Search Hub Governance Automation.
  2. Create rules aligned to your environment. Start with high-impact searches (for example, run_count > 10 or avg_runtime > 120).
  3. Run in passive mode (no auto-remediation) for several days.
  4. Review Warning searches and adjust rules as needed.
  5. Use Bulk Auto Balance on searches with high skip or concurrency rates to distribute load across time slots.
  6. Enable automated alerting and escalation, typically with a 7-day escalation period.

Users receive notifications when their searches fail compliance. Admins maintain an audit trail for each edit or search disablement following escalation.

For environments with strict SVC consumption requirements, add SVC utilization rules and enable Auto Disable after 7 days. This ensures unresolved violations are automatically disabled.

Scheduled Searches Page

Search Hub analyzes Search Peers configured as Atlas Targets. Use the Target Server dropdown in the top right to select the desired environment.

The Scheduled Searches page provides multiple views to help admins understand how scheduled searches affect Splunk performance.

Scheduler History

The Scheduler History chart tracks search activity over time. The x-axis bins are determined by the Time Range input. For identifying bottlenecks, review the most recent 4 hours of data.

Metrics include:

  • Searches Scheduled
  • Searches Pending
  • Searches Running
  • Searches Skipped
  • Environment Limit (visual reference line)

This visualization helps identify bottlenecks and skipped searches. If the number of scheduled or running searches exceeds the environment limit, the risk of skipped searches, slowdowns, and resource contention increases. Selecting a bar filters the table below to searches active during that time window.

Rule Overview Panel

If Search Governance Automation is enabled, a Rule Compliance KPI panel appears, showing how many searches are breaking governance rules. Clicking a value filters the All Scheduled Searches table.

The panel alternates with a Rule Violations view, which lists how many searches are breaching each specific rule. Each value is also clickable for filtering.

All Scheduled Searches Table

The All Scheduled Searches table lists all searches that ran during the selected time range. Use the toggle in the top right to include or exclude ignored searches.

Default columns include:

  • Compliance – Passing, Warning, or Escalated (if governance is enabled), or Enabled/Disabled (if not).
  • Search Name – The report or search title.
  • Search Owner – The user account that owns the search.
  • Avg Result Count – Average number of results returned.
  • Rule Violations – Any triggered rules (for example, High Frequency, High Impact).
  • Violation Date – Timestamp of the latest violation.
  • Actions – Options to drill down, run, or inspect search details.

Optional columns include:

  • Search App
  • Cron Schedule
  • Search Intervals
  • Average, 90 Percentile, and Total SVC Consumption (Cloud only)
  • Average, 90 Percentile, and Total Runtime
  • Skip Rate (%) and Total Skip Count
  • Run Count

At the bottom of the dashboard, the Action Logs panel lists all audit actions related to Search Hub. Selecting a search filters this log to entries for that specific search.

Search Actions

The Actions column provides tools to investigate or remediate searches:

  • Go To Search – Opens Splunk’s Searches and Reports view filtered to the selected search.
  • Run Search – Opens and runs the search in a new window.
  • Inspect Search – Opens the Inspect Search modal.
  • Fix Search – Opens the Fix Search modal.

Inspect Search Modal

The Inspect Search modal allows in-depth investigation of search configuration details. A navigation bar at the top right lets you switch to other modals or open the search in a new tab.

Tabs:

  • Search Information – Displays SPL and configuration details.
  • Search Change History – Charts historical runs, configuration changes, and Atlas-logged comments.

Fix Search Modal

The Fix Search modal allows impactful configuration changes. A navigation bar at the top right enables switching to other modals or opening the search in a new tab.

Tabs:

  • Improve Schedule – Suggests schedule adjustments to reduce concurrency and skips. Allows adding notes to changes.
  • Fix Time Range – Identifies misaligned time ranges and intervals that may cause over- or under-searching. Offers a one-click option to align them.

Bulk Actions

Selecting one or more searches in the table enables bulk actions. Buttons appear at the bottom left of the table:

  • Ignore/Unignore Searches – Marks selected searches as ignored or active. Defaults to Ignore unless all are already ignored.
  • Enable/Disable Searches – Enables or disables selected searches. Defaults to Disable unless all are already disabled.
  • Auto Balance Searches – Opens the Auto Balance modal to bulk reschedule searches using Atlas automation.

Search Compliance States

Search Hub continuously evaluates searches against governance rules, updating status automatically:

  • Passing – Search meets compliance requirements.
  • Warning – One or more rules triggered.
  • Escalated – Search has remained in violation for the configured escalation period.
  • Disabled – Search has been disabled.
  • Ignored – Search has been excluded from notifications and remediation.

Impact Page Overview

Search Hub's Impact page provides a clear overview of Splunk resource consumption by Scheduled Searches, with the context of what actions Search Hub has performed. This view will enable Splunk Admins to show the impact of Search Hub against their environment, and track actions performed over the time range.

Search Hub Performance Visual

The Performance Visual time chart displays the total Run Time or SVC Consumption generated by Scheduled Searches in the environment. Splunk Cloud deployments can toggle between both metrics, while on-premises environments can view Run Time only. These values are critical for understanding overall system performance and controlling license usage. Reducing unnecessary Run Time and SVC consumption is a key objective for any Splunk administration team.

Atlas also plots Search Hub actions directly on the chart to provide operational context. Action markers include:

  • Yellow Markers: Search Governance rule changes, including rules created, modified, enabled, or disabled.
  • Red Markers: Searches disabled by Search Governance remediation or Search Hub automation.
  • Blue Markers: Searches modified by users through Search Hub modals or Autobalance operations.

Additional details for each action type are available in the Search Hub Actions table located below the visualization.

Summary Panel

The Summary Panel on the right highlights key operational values and can be toggled between three distinct views:

  • Activity Summary: Displays the total number of searches modified using Fix It or Autobalance.
  • Governance Summary: Summarizes all actions taken by the Search Governance framework within the selected time range.
  • Consumption Summary: Shows 7-day fixed metrics including peak SVC or Run Time usage, comparison to the previous 7-day period, and the estimated resources saved by disabled searches across Search Hub.