Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are best practices for creating a dashboard of saved searches without hitting the concurrent search quota per user?

bruceclarke
Contributor
‎11-13-2014 02:11 PM

All,

I'd like to allow users to create a dashboard of saved searches without it counting towards their search quota. As it stands now, it seems like any dashboard will run the saved searches under the user account that created these saved searches.

For example, if Jon creates a dashboard comprised of saved searches that he wrote, then Smith opens the dashboard, it still counts towards Jon's search quota. At least that's what I'm seeing.

Is there any way around this issue? What's the best practice for handling this?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎12-08-2014 02:48 PM

Here are the few suggestions,

  1. Move the searches to admin / nobody level.
  2. Use search template to create dashboards - It will ensure the res-usability.
  3. If the above two steps not helps then increasing number of concurrent searches will be the only option.

Cheers.

V

View solution in original post

Reply
Solved! Jump to solution

Runals
Motivator
‎01-11-2015 01:43 PM

You should also realize that if Jon creates the saved query and that saved query is put into a dashboard not only does this count against Jon's quota it is also run with Jon's permissions. This was a 6x thing that took us unawares as Splunk didn't, especially at first - believe has somewhat been addressed, handle this issue gracefully when the number of panels on the dashboard was greater than 2x the concurrent search quota.

Besides adjusting the saved search owner to a different role that has a higher concurrent search quota you could also convert the search to be inline. When the search is now run it is run with the quota and permissions of whoever is opening the dashboard. Another option if this is going to be a heavily used dashboard is schedule the search so that the dashboard uses the search artifacts vs running the searches each time someone opens/refreshes the dashboard.

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎12-08-2014 02:48 PM

Here are the few suggestions,

  1. Move the searches to admin / nobody level.
  2. Use search template to create dashboards - It will ensure the res-usability.
  3. If the above two steps not helps then increasing number of concurrent searches will be the only option.

Cheers.

V
Reply
Solved! Jump to solution

bruceclarke
Contributor
‎12-08-2014 02:26 PM

I've just increased the number of concurrent searches that a user is able to make, but I'd really like to hear what best practices (if any) others have come up with.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...