Skip to main content
Version: Atlas v4.5

Using Search Hub

Search Hub provides two core capabilities for managing search activity in Splunk:

  1. The Scheduled Searches page, where Atlas users can review scheduled searches in an environment.
  2. The Search Governance Rules page, where Atlas Creators and Atlas Admins configure governance policies and Atlas users review governance results. Learn more about setup on the Configuration page.

Search Hub uses a summarization metric index, background searches, and KV Store data to populate the Scheduled Searches experience quickly. Because the page is driven by summarized data, recent changes can take a short time to appear after Search Hub background searches run.

Search Hub can leverage Atlas Targets to inspect scheduled searches across multiple Splunk environments. When Atlas Targets are configured, targeted searches appear in the normal Search Hub workflow and can be reviewed through the Environments filter.

Implementing Search Governance

Unmanaged scheduled searches can consume excessive resources and impact Splunk performance. Search Hub enables admins to enforce search governance automatically, improving visibility and stability without additional manual oversight.

This section outlines a recommended adoption workflow. Later sections detail each page feature.

Recommended adoption workflow:

  1. As an Atlas Admin, configure Search Hub and confirm that the required background searches are enabled.
  2. Create rules aligned to your environment. Start with high-impact searches such as run_count > 10 or avg_runtime > 120.
  3. Run in passive mode without auto-remediation for several days.
  4. Review Warning searches and adjust rules as needed.
  5. Use Bulk Auto-Balance on searches with high skip or concurrency rates to distribute load across time slots.
  6. Enable automated alerting and escalation, typically with a 7-day escalation period.

Users receive notifications when their searches fail compliance. Admins maintain an audit trail for each edit or search disablement following escalation.

For environments with strict SVC consumption requirements, add SVC utilization rules and enable Auto Disable after 7 days. This ensures unresolved violations are automatically disabled.

Scheduled Searches Page

The Scheduled Searches page provides multiple views to help teams understand how scheduled searches affect Splunk performance. The Scheduled Searches table is populated from Search Hub summarized performance data stored in the summarization metric index and KV Store, which keeps loading fast while allowing Atlas actions to update the experience between scheduled refreshes.

Default Views & Additional Columns

By selecting the View dropdown, a user can select a pre-made collection of columns for the table to easily get started in Search Hub. The selected view is preserved on page reload. The default views include:

  • Overview: This report provides a general view on Searches configurations and performance, enabling triage of poorly executing scheduled searches.
  • Governance: By leveraging the Search Governance Framework, this view reveals search compliance status, current rule violations, and violation time stamps. This is useful for Atlas Admins to quickly identify rule breaking scheduled searches.
  • SVC Utilization: The SVC Utilization view is only available on Splunk Cloud. It showcases SVCs per search along with related performance metrics. To quickly identify high SVC spend, select this option.

Selecting the data table's column button enables the user to add additional columns to the view. Your column selection is saved, but is cleared by selecting a default view.

Filters Sidebar

The Filters side panel enables users to quickly sort table contents and environments.

  • Compliance Section: Selecting a status on the Compliance Section will filter to searches that have that status. This can be used to quickly find searches breaking Search Governance rules.
  • Rule Violations: If a search is in violation of a Search Governance rule, then the rule will be available for quick filtering under this section.
  • Environments: Select which environment's searches to inspect. Any correctly configured Atlas Target will appear here, and only one environment can be selected at a time. The local environment is used when none is selected.

Bulk Actions

Atlas users with correct permissions can leverage bulk actions by selecting one or more searches' checkbox. Bulk action buttons appear on the bottom left of the table.

  • Ignore/Unignore Searches: Marks selected searches as ignored or active. Defaults to Ignore unless all are already ignored.
  • Enable/Disable Searches: Enables or disables selected searches. Defaults to Disable unless all are already disabled.
  • Auto-Balance Searches: Opens the Auto-Balance modal to bulk align searches using Atlas automation. This process can easily skew searches to eliminate high concurrency bottlenecks. Auto-Balance is available only when the selected searches are from the same environment.
  • Reschedule Searches: Opens the Reschedule modal to bulk reschedule searches using Atlas automation. Status icons and warnings highlight searches that need attention before a change is applied.

Detailed Modals & Actions

Selecting the kebab (three dots) button on the far right of the table enables the user to view additional details and perform actions.

  • Open in Search: Opens Splunk’s Searches and Reports view filtered to the selected search.
  • Run in Splunk: Opens and runs the search in a new window.
  • Open Search Info: Opens the Search Information modal.
  • Fix Search: Opens the Fix Search modal.

Search Information Modal

The Search Information modal allows in-depth investigation of search configuration details. A navigation bar at the top right lets you switch to other modals or open the search in a new tab.

Tabs:

  • Search Information: Displays SPL and configuration details. When AI Configuration is available in Atlas, Search Hub can also generate a plain-language explainer for the search.
  • Search History: Charts historical runs, configuration changes, and Atlas-logged comments.
AI Search Explainer

When AI Configuration is enabled, Search Hub can translate the selected search SPL into human-readable language directly in the Search Information tab.

  • The explainer is generated when the modal loads.
  • It summarizes what the search is doing and highlights important transformations in the SPL.
  • It can provide guidance on how the search is structured and how it might be improved.
  • The explainer is shown only when Atlas AI Configuration has been completed successfully.
  • For setup requirements, see AI Configuration.

Fix Search Modal

The Fix Search modal allows impactful configuration changes. A navigation bar at the top right enables switching to other modals or opening the search in a new tab.

Tabs:

  • Improve Schedule: Suggests schedule adjustments to reduce concurrency and skips. Status feedback shows whether a proposed change can be applied cleanly, and users can add notes to changes.
  • Fix Time Range: Identifies misaligned time ranges and intervals that may cause over- or under-searching. Offers a one-click option to align them, refreshes the alignment visual after changes are saved, and allows users to add notes to changes.

Search Compliance States

Search Hub continuously evaluates searches against governance rules, updating status automatically:

  • Passing: Search meets compliance requirements.
  • Warning: One or more rules triggered.
  • Escalated: Search has remained in violation for the configured escalation period.
  • Disabled: Search has been disabled.
  • Ignored: Search has been excluded from notifications and remediation.

Impact Page Overview

Search Hub's Impact page provides a clear overview of Splunk resource consumption by Scheduled Searches, with the context of what actions Search Hub has performed. This view will enable Splunk Admins to show the impact of Search Hub against their environment, and track actions performed over the time range.

Search Hub Performance Visual

The Performance Visual time chart displays the total Run Time or SVC Consumption generated by Scheduled Searches in the environment. Splunk Cloud deployments can toggle between both metrics, while on-premises environments can view Run Time only. These values are critical for understanding overall system performance and controlling license usage. Reducing unnecessary Run Time and SVC consumption is a key objective for any Splunk administration team.

Atlas also plots Search Hub actions directly on the chart to provide operational context. Action markers include:

  • Yellow Markers: Search Governance rule changes, including rules created, modified, enabled, or disabled.
  • Red Markers: Searches disabled by Search Governance remediation or Search Hub automation.
  • Blue Markers: Searches modified by users through Search Hub modals or Auto-Balance operations.

Additional details for each action type are available in the Search Hub Actions table located below the visualization.

Summary Panel

The Summary Panel on the right highlights key operational values and can be toggled between three distinct views:

  • Activity Summary: Displays the total number of searches modified using Fix It or Auto-Balance.
  • Governance Summary: Summarizes all actions taken by the Search Governance framework within the selected time range.
  • Consumption Summary: Shows 7-day fixed metrics including peak SVC or Run Time usage, comparison to the previous 7-day period, and the estimated resources saved by disabled searches across Search Hub.