Splunk Search

What are best practices for creating a dashboard of saved searches without hitting the concurrent search quota per user?

bruceclarke
Contributor

All,

I'd like to allow users to create a dashboard of saved searches without it counting towards their search quota. As it stands now, it seems like any dashboard will run the saved searches under the user account that created these saved searches.

For example, if Jon creates a dashboard comprised of saved searches that he wrote, then Smith opens the dashboard, it still counts towards Jon's search quota. At least that's what I'm seeing.

Is there any way around this issue? What's the best practice for handling this?

Thanks!

1 Solution

vasanthmss
Motivator

Here are the few suggestions,

  1. Move the searches to admin / nobody level.
  2. Use search template to create dashboards - It will ensure the res-usability.
  3. If the above two steps not helps then increasing number of concurrent searches will be the only option.

Cheers.

V

View solution in original post

Runals
Motivator

You should also realize that if Jon creates the saved query and that saved query is put into a dashboard not only does this count against Jon's quota it is also run with Jon's permissions. This was a 6x thing that took us unawares as Splunk didn't, especially at first - believe has somewhat been addressed, handle this issue gracefully when the number of panels on the dashboard was greater than 2x the concurrent search quota.

Besides adjusting the saved search owner to a different role that has a higher concurrent search quota you could also convert the search to be inline. When the search is now run it is run with the quota and permissions of whoever is opening the dashboard. Another option if this is going to be a heavily used dashboard is schedule the search so that the dashboard uses the search artifacts vs running the searches each time someone opens/refreshes the dashboard.

vasanthmss
Motivator

Here are the few suggestions,

  1. Move the searches to admin / nobody level.
  2. Use search template to create dashboards - It will ensure the res-usability.
  3. If the above two steps not helps then increasing number of concurrent searches will be the only option.

Cheers.

V

bruceclarke
Contributor

I've just increased the number of concurrent searches that a user is able to make, but I'd really like to hear what best practices (if any) others have come up with.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...