Background :
I am using Splunk verion 4.3.3 , having 4 indexer with 1 Search head and using the default configurations for limits.conf.
OS : RHEL 6
Subnet : logging
HDD 1 : 40
HDD 2: 100
Memory : 16
CPU cores :4
By default settings my search head is capable of doing 4 concurrent searches. (as recommended by splunk)
However often i am getting maximum historical search limit is reached. and this is quite annoying for my users.
Suggest me a best idea to resolve this, (something from my readings , correct me if i am wrong below)
Can i try this ,
restrict the Splunk users triggering a complex query | or a query which fetches very old data .
Restrict features in TimeRange picker -remove "All Time" selection
However i wanted to limit the users from complex query. Is there any tricks ?
or any way to force the search query to show limited data , even though long time range is selected ?
Kindly advice.
Thanks,
Chimbu
Version 4.3.3 is no longer supported. I suggest upgrading both Splunk and the number of cores you have. The hardware specification requirements are here: http://docs.splunk.com/Documentation/Splunk/6.0.1/Installation/SystemRequirements#Recommended_hardwa...
Then it needs to be set particular to the role in authorize.conf ,parameters like srchMaxTime,srchTimeWin,srchJobsQuota will help you restrict the users to have long queries. Regarding the complexity there are not many option if you don't have any static queries to allow them to.
I cant have savedseraches , since the searches are fired from some external componenets via REST API ...
The message shows up because of the limitation on the roles for concurrent searches. You can have savedsearch to avoid this, or the maximum concurrent searches needs to be altered
Okay , After I upgrade Splunk to its latest version .. Suggest me what action i can handle ?