Splunk Search

How to limit runtime for a search?

a212830
Champion

Hi,

Is there a setting to limit max runtime for a search? I don't see anything obvious.

0 Karma
1 Solution

pradeepkumarg
Influencer

Yes, srchMaxTime in authorize.conf for the role you want to limit to.

srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Authorizeconf

View solution in original post

pradeepkumarg
Influencer

Yes, srchMaxTime in authorize.conf for the role you want to limit to.

srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Authorizeconf

gjanders
SplunkTrust
SplunkTrust

This answer is correct but do keep in mind that it's subtle when a scheduled search is auto-finalized (time limited), the GUI (at least in Splunk 7.0.x) doesn't make it super-obvious that a search has been auto-finalized.

You can see it via the gap in the timeline and also if you check the inspect job button or the info messages...in a scheduled search it is hidden within files in the dispatch directory so it's even less obvious that the auto-finalization occurred.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Bingo. So you very much introduce a situation where a user may think the search is complete and draw conclusions from the result but in reality the data set is incomplete. This is esp hard if on a dashboard.

0 Karma

a212830
Champion

Thanks! I assumed it was in the roles gui.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...