Skip to main content
Version: Atlas v4.4

Using Search Hub

Search Hub provides two core capabilities for managing search activity in Splunk:

  1. The Scheduled Searches page, where admins and creators can review all scheduled searches in an environment.
  2. The Search Governance Rules page, where governance policies are configured to automate review and remediation. Learn more about setup on the Configuration page.

Search Hub can leverage Atlas Targets to interact with multiple Splunk environments. Refer to Getting Started documentation to leverage this feature.

Implementing Search Governance

Unmanaged scheduled searches can consume excessive resources and impact Splunk performance. Search Hub enables admins to enforce search governance automatically, improving visibility and stability without additional manual oversight.

This section outlines a recommended adoption workflow. Later sections detail each page feature.

Recommended adoption workflow:

  1. Turn on Search Hub Governance Automation.
  2. Create rules aligned to your environment. Start with high-impact searches (for example, run_count > 10 or avg_runtime > 120).
  3. Run in passive mode (no auto-remediation) for several days.
  4. Review Warning searches and adjust rules as needed.
  5. Use Bulk Auto-Balance on searches with high skip or concurrency rates to distribute load across time slots.
  6. Enable automated alerting and escalation, typically with a 7-day escalation period.

Users receive notifications when their searches fail compliance. Admins maintain an audit trail for each edit or search disablement following escalation.

For environments with strict SVC consumption requirements, add SVC utilization rules and enable Auto Disable after 7 days. This ensures unresolved violations are automatically disabled.

Scheduled Searches Page

The Scheduled Searches page provides multiple views to help admins understand how scheduled searches affect Splunk performance. The Scheduled Searches table lists all searches that ran during the selected time range.

Default Views & Additional Columns

By selecting the View dropdown, a user can select a pre-made collection of columns for the table to easily get started in Search Hub. The default views include:

  • Overview: This report provides a general view on Searches configurations and performance, enabling triage of poorly executing scheduled searches.
  • Governance: By leveraging the Search Governance Framework, this view reveals search compliance status, current rule violations, and violation time stamps. This is useful for Atlas Admins to quickly identify rule breaking scheduled searches.
  • SVC Utilization: The SVC Utilization view is only available on Splunk Cloud. It showcases SVCs per search along with related performance metrics. To quickly identify high SVC spend, select this option.

Selecting the data table's column button enables the user to add additional columns to the view. Your column selection is saved, but is cleared by selecting a default view.

Filters Sidebar

The Filters side panel enables users to quickly sort table contents and environments.

  • Compliance Section: Selecting a status on the Compliance Section will filter to searches that have that status. This can be used to quickly find searches breaking Search Governance rules.
  • Rule Violations: If a search is in violation of a Search Governance rule, then the rule will be available for quick filtering under this section.
  • Environments: Select what environment's searches to inspect. Any Atlas Target correctly configured will appear here, and only one environment can be selected for viewing at a time. Defaults to local environment when none is selected.

Bulk Actions

Atlas users with correct permissions can leverage bulk actions by selecting one or more searches' checkbox. Bulk action buttons appear on the bottom left of the table.

  • Ignore/Unignore Searches: Marks selected searches as ignored or active. Defaults to Ignore unless all are already ignored.
  • Enable/Disable Searches: Enables or disables selected searches. Defaults to Disable unless all are already disabled.
  • Auto-Balance Searches: Opens the Auto-Balance modal to bulk align searches using Atlas automation. This process can easily skew searches to eliminate high concurrency bottlenecks.
  • Reschedules: Opens the Reschedule modal to bulk reschedule searches using Atlas automation. Users can use this feature to easily re-schedule searches to meet best practice, and align their time ranges.

Detailed Modals & Actions

Selecting the kebab (three dots) button on the far right of the table enables the user to view additional details and perform actions.

  • Open in Search: Opens Splunk’s Searches and Reports view filtered to the selected search.
  • Run in Splunk: Opens and runs the search in a new window.
  • Open Search Info: Opens the Search Information modal.
  • Fix Search: Opens the Fix Search modal.

Search Information Modal

The Search Information modal allows in-depth investigation of search configuration details. A navigation bar at the top right lets you switch to other modals or open the search in a new tab.

Tabs:

  • Search Information: Displays SPL and configuration details.
  • Search Change History: Charts historical runs, configuration changes, and Atlas-logged comments.

Fix Search Modal

The Fix Search modal allows impactful configuration changes. A navigation bar at the top right enables switching to other modals or opening the search in a new tab.

Tabs:

  • Improve Schedule: Suggests schedule adjustments to reduce concurrency and skips. Allows adding notes to changes.
  • Fix Time Range: Identifies misaligned time ranges and intervals that may cause over- or under-searching. Offers a one-click option to align them. Allows adding notes to changes.

Search Compliance States

Search Hub continuously evaluates searches against governance rules, updating status automatically:

  • Passing: Search meets compliance requirements.
  • Warning: One or more rules triggered.
  • Escalated: Search has remained in violation for the configured escalation period.
  • Disabled: Search has been disabled.
  • Ignored: Search has been excluded from notifications and remediation.

Impact Page Overview

Search Hub's Impact page provides a clear overview of Splunk resource consumption by Scheduled Searches, with the context of what actions Search Hub has performed. This view will enable Splunk Admins to show the impact of Search Hub against their environment, and track actions performed over the time range.

Search Hub Performance Visual

The Performance Visual time chart displays the total Run Time or SVC Consumption generated by Scheduled Searches in the environment. Splunk Cloud deployments can toggle between both metrics, while on-premises environments can view Run Time only. These values are critical for understanding overall system performance and controlling license usage. Reducing unnecessary Run Time and SVC consumption is a key objective for any Splunk administration team.

Atlas also plots Search Hub actions directly on the chart to provide operational context. Action markers include:

  • Yellow Markers: Search Governance rule changes, including rules created, modified, enabled, or disabled.
  • Red Markers: Searches disabled by Search Governance remediation or Search Hub automation.
  • Blue Markers: Searches modified by users through Search Hub modals or Auto-Balance operations.

Additional details for each action type are available in the Search Hub Actions table located below the visualization.

Summary Panel

The Summary Panel on the right highlights key operational values and can be toggled between three distinct views:

  • Activity Summary: Displays the total number of searches modified using Fix It or Auto-Balance.
  • Governance Summary: Summarizes all actions taken by the Search Governance framework within the selected time range.
  • Consumption Summary: Shows 7-day fixed metrics including peak SVC or Run Time usage, comparison to the previous 7-day period, and the estimated resources saved by disabled searches across Search Hub.