Monitoring Splunk

How can I limit the sum of concurrent searches done by a group of users in Splunk?

jkst1972
Explorer

We have separate search head servers (separated from the index servers) and we would like to limit the sum of concurrent searches done from all the users from one department. The purpose is to make sure that all departments has a minimum of resources on the search head servers independent of the amount of search activity done by the other users. Is this possible in Splunk?

If this functionality isn’t available out of the box; any ideas/workarounds on how to solve this would be appreciated.

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

I'm not really sure, but I guess you could try to create different roles - one for each department - even if the actual capabilities for the roles are the same. Then you can set the maximum concurrent searches on a per role basis.

This is probably not how the roles were intended to be used, and you may have to alter the "max concurrent search jobs" setting for any inherited roles (such as the "user" role).

Note: I have not tried this, I am just guessing. Proceed with caution.

Kristian

0 Karma

jkst1972
Explorer

Thank you for answering; if I understand you correctly this is what I've tried before with the following dicovery: any person in the role will inherit the maximum concurrent search setting. So if I set the role to 5 max concurrent searches. Each and every user assigned this role will have 5 concurrent searches before the next one will be placed on wait in the jobs list.
It makes sense since this a role you inherit and not a group you get assigned to. I guess what i'm really wishing is group functionality...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...