Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Restrict users to fire complex query | force kill the complex query !

chimbudp
Contributor
‎01-06-2014 02:30 AM

Background :

I am using Splunk verion 4.3.3 , having 4 indexer with 1 Search head and using the default configurations for limits.conf.

OS : RHEL 6

Subnet : logging

HDD 1 : 40

HDD 2: 100

Memory : 16

CPU cores :4

By default settings my search head is capable of doing 4 concurrent searches. (as recommended by splunk)
However often i am getting maximum historical search limit is reached. and this is quite annoying for my users.

Suggest me a best idea to resolve this, (something from my readings , correct me if i am wrong below)

  • Shall i tweak the default settings in limits.conf . How far this is recommended to localize this configuration file ?
  • Shall i increase the no. of cores in Search head's CPU ?
  • Do i need to go for multiple search heads ?

Can i try this ,


restrict the Splunk users triggering a complex query | or a query which fetches very old data .
Restrict features in TimeRange picker -remove "All Time" selection

However i wanted to limit the users from complex query. Is there any tricks ?
or any way to force the search query to show limited data , even though long time range is selected ?

Kindly advice.

Thanks,

Chimbu

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-06-2014 05:28 AM

Version 4.3.3 is no longer supported. I suggest upgrading both Splunk and the number of cores you have. The hardware specification requirements are here: http://docs.splunk.com/Documentation/Splunk/6.0.1/Installation/SystemRequirements#Recommended_hardwa...

0 Karma
Reply

linu1988
Champion
‎01-06-2014 10:51 PM

Then it needs to be set particular to the role in authorize.conf ,parameters like srchMaxTime,srchTimeWin,srchJobsQuota will help you restrict the users to have long queries. Regarding the complexity there are not many option if you don't have any static queries to allow them to.

0 Karma
Reply

chimbudp
Contributor
‎01-06-2014 09:31 PM

I cant have savedseraches , since the searches are fired from some external componenets via REST API ...

0 Karma
Reply

linu1988
Champion
‎01-06-2014 09:15 PM

The message shows up because of the limitation on the roles for concurrent searches. You can have savedsearch to avoid this, or the maximum concurrent searches needs to be altered

0 Karma
Reply

chimbudp
Contributor
‎01-06-2014 04:50 PM

Okay , After I upgrade Splunk to its latest version .. Suggest me what action i can handle ?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...