Hi
We are trying to alert based on different conditions for different application log data. We see in the activity that there are only 5-6 jobs running concurrently while we have 50 alerts configured. Cpu utilization on the search head is very minimum, Concurrent. Can you please tell me if there is parameter which puts a limit on the number or real-time alerts?
Thanks
yes. it's a mix of
example : 32 cores search-head : (32 *1 +6 ) *1 = 38
quota limit rtSrchJobsQuota * max_searches_perc
example : for a role A: realtime limit 6 and scheduler multiplier 50% => 6 realtime alerts and 3 realtime scheduler max
see limits.conf http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Limitsconf
[search]
base_max_searches, max_searches_per_cpu, max_rt_search_multiplier
[scheduler]
max_searches_perc
and authorize.conf for the roles quotas. http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf
[role_*]
rtSrchJobsQuota