Is there a way to bypass max_searches_per_cpu setting (in limits.conf) for a given user or role?
I need to to this for a user that is deputed to data import (the data import work consists also in splunk searches)
You probably don't want to change max_searches_per_cpu in limits.conf because it would be a global change and could have a detrimental impact to performance.
I think you're asking how to bypass the concurrent search limit for a user or a role, right? You can create a new role in Splunk Web (under Access Controls), set the "Role-level concurrent search jobs limit" to 100, "User-level concurrent search jobs limit" to 100, save the role, and then add that user to the new role you created.
You probably don't want to change max_searches_per_cpu in limits.conf because it would be a global change and could have a detrimental impact to performance.
I think you're asking how to bypass the concurrent search limit for a user or a role, right? You can create a new role in Splunk Web (under Access Controls), set the "Role-level concurrent search jobs limit" to 100, "User-level concurrent search jobs limit" to 100, save the role, and then add that user to the new role you created.
The "data import" user has already an admin role, so its limits are much higher. I suppose max_searches_per_cpu
has a much higher priority, and I'm searching a way to bypass it.
Yes, adding search headers is a good workaround, but it's not an optimal solution. This way is very simple to do a DDoS attack that will prevent data importing.
Note: If you are maxing out cores, it's probably time to add indexers (so that searches complete faster), or add another search head if you have a lot of scheduled searches running all the time.