Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can a particular user or role ignore the limits.conf max_searches_per_cpu setting?

marco_sulla
Path Finder
‎10-15-2015 08:07 AM

Is there a way to bypass max_searches_per_cpu setting (in limits.conf) for a given user or role?

I need to to this for a user that is deputed to data import (the data import work consists also in splunk searches)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎10-15-2015 01:50 PM

You probably don't want to change max_searches_per_cpu in limits.conf because it would be a global change and could have a detrimental impact to performance.

I think you're asking how to bypass the concurrent search limit for a user or a role, right? You can create a new role in Splunk Web (under Access Controls), set the "Role-level concurrent search jobs limit" to 100, "User-level concurrent search jobs limit" to 100, save the role, and then add that user to the new role you created.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎10-15-2015 01:50 PM

You probably don't want to change max_searches_per_cpu in limits.conf because it would be a global change and could have a detrimental impact to performance.

I think you're asking how to bypass the concurrent search limit for a user or a role, right? You can create a new role in Splunk Web (under Access Controls), set the "Role-level concurrent search jobs limit" to 100, "User-level concurrent search jobs limit" to 100, save the role, and then add that user to the new role you created.

0 Karma
Reply
Solved! Jump to solution

marco_sulla
Path Finder
‎10-16-2015 01:45 AM

The "data import" user has already an admin role, so its limits are much higher. I suppose max_searches_per_cpu has a much higher priority, and I'm searching a way to bypass it.

Yes, adding search headers is a good workaround, but it's not an optimal solution. This way is very simple to do a DDoS attack that will prevent data importing.

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎10-15-2015 01:52 PM

Note: If you are maxing out cores, it's probably time to add indexers (so that searches complete faster), or add another search head if you have a lot of scheduled searches running all the time.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...