Using Search Hub
Search Hub provides two core capabilities for managing search activity in Splunk:
- The Scheduled Searches page, where admins and creators can review all scheduled searches in an environment.
- The Search Governance Rules page, where governance policies are configured to automate review and remediation. Learn more about setup on the Configuration page.
Implementing Search Governance
Unmanaged scheduled searches can consume excessive resources and impact Splunk performance. Search Hub enables admins to enforce search governance automatically, improving visibility and stability without additional manual oversight.
This section outlines a recommended adoption workflow. Later sections detail each page feature.
Recommended adoption workflow:
- Turn on Search Hub Governance Automation.
- Create rules aligned to your environment. Start with high-impact searches (for example,
run_count > 10oravg_runtime > 120). - Run in passive mode (no auto-remediation) for several days.
- Review Warning searches and adjust rules as needed.
- Use Bulk Auto Balance on searches with high skip or concurrency rates to distribute load across time slots.
- Enable automated alerting and escalation, typically with a 7-day escalation period.
Users receive notifications when their searches fail compliance. Admins maintain an audit trail for each edit or search disablement following escalation.
For environments with strict SVC consumption requirements, add SVC utilization rules and enable Auto Disable after 7 days. This ensures unresolved violations are automatically disabled.
Scheduled Searches Page
Search Hub analyzes Search Peers configured as Atlas Targets. Use the Target Server dropdown in the top right to select the desired environment.
The Scheduled Searches page provides multiple views to help admins understand how scheduled searches affect Splunk performance.
Scheduler History
The Scheduler History chart tracks search activity over time. The x-axis bins are determined by the Time Range input. For identifying bottlenecks, review the most recent 4 hours of data.
Metrics include:
- Searches Scheduled
- Searches Pending
- Searches Running
- Searches Skipped
- Environment Limit (visual reference line)
This visualization helps identify bottlenecks and skipped searches. If the number of scheduled or running searches exceeds the environment limit, the risk of skipped searches, slowdowns, and resource contention increases. Selecting a bar filters the table below to searches active during that time window.
Rule Overview Panel
If Search Governance Automation is enabled, a Rule Compliance KPI panel appears, showing how many searches are breaking governance rules. Clicking a value filters the All Scheduled Searches table.
The panel alternates with a Rule Violations view, which lists how many searches are breaching each specific rule. Each value is also clickable for filtering.
All Scheduled Searches Table
The All Scheduled Searches table lists all searches that ran during the selected time range. Use the toggle in the top right to include or exclude ignored searches.
Default columns include:
- Compliance – Passing, Warning, or Escalated (if governance is enabled), or Enabled/Disabled (if not).
- Search Name – The report or search title.
- Search Owner – The user account that owns the search.
- Avg Result Count – Average number of results returned.
- Rule Violations – Any triggered rules (for example, High Frequency, High Impact).
- Violation Date – Timestamp of the latest violation.
- Actions – Options to drill down, run, or inspect search details.
Optional columns include:
- Search App
- Cron Schedule
- Search Interval
- Average and Total SVC Consumption (Cloud only)
- Average and Total Runtime
- Skip Rate (%) and Total Skip Count
- Run Count
At the bottom of the dashboard, the Action Logs panel lists all audit actions related to Search Hub. Selecting a search filters this log to entries for that specific search.
Search Actions
The Actions column provides tools to investigate or remediate searches:
- Go To Search – Opens Splunk’s Searches and Reports view filtered to the selected search.
- Run Search – Opens and runs the search in a new window.
- Inspect Search – Opens the Inspect Search modal.
- Fix Search – Opens the Fix Search modal.
Inspect Search Modal
The Inspect Search modal allows in-depth investigation of search configuration details. A navigation bar at the top right lets you switch to other modals or open the search in a new tab.
Tabs:
- Search Information – Displays SPL and configuration details.
- Search Change History – Charts historical runs, configuration changes, and Atlas-logged comments.
Fix Search Modal
The Fix Search modal allows impactful configuration changes. A navigation bar at the top right enables switching to other modals or opening the search in a new tab.
Tabs:
- Improve Schedule – Suggests schedule adjustments to reduce concurrency and skips. Allows adding notes to changes.
- Fix Time Range – Identifies misaligned time ranges and intervals that may cause over- or under-searching. Offers a one-click option to align them.
Bulk Actions
Selecting one or more searches in the table enables bulk actions. Buttons appear at the bottom left of the table:
- Ignore/Unignore Searches – Marks selected searches as ignored or active. Defaults to Ignore unless all are already ignored.
- Enable/Disable Searches – Enables or disables selected searches. Defaults to Disable unless all are already disabled.
- Auto Balance Searches – Opens the Auto Balance modal to bulk reschedule searches using Atlas automation.
Search Compliance States
Search Hub continuously evaluates searches against governance rules, updating status automatically:
- Passing – Search meets compliance requirements.
- Warning – One or more rules triggered.
- Escalated – Search has remained in violation for the configured escalation period.
- Disabled – Search has been disabled.
- Ignored – Search has been excluded from notifications and remediation.