Monitoring Splunk

How can I limit the sum of concurrent searches done by a group of users in Splunk?

jkst1972
Explorer

We have separate search head servers (separated from the index servers) and we would like to limit the sum of concurrent searches done from all the users from one department. The purpose is to make sure that all departments has a minimum of resources on the search head servers independent of the amount of search activity done by the other users. Is this possible in Splunk?

If this functionality isn’t available out of the box; any ideas/workarounds on how to solve this would be appreciated.

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

I'm not really sure, but I guess you could try to create different roles - one for each department - even if the actual capabilities for the roles are the same. Then you can set the maximum concurrent searches on a per role basis.

This is probably not how the roles were intended to be used, and you may have to alter the "max concurrent search jobs" setting for any inherited roles (such as the "user" role).

Note: I have not tried this, I am just guessing. Proceed with caution.

Kristian

0 Karma

jkst1972
Explorer

Thank you for answering; if I understand you correctly this is what I've tried before with the following dicovery: any person in the role will inherit the maximum concurrent search setting. So if I set the role to 5 max concurrent searches. Each and every user assigned this role will have 5 concurrent searches before the next one will be placed on wait in the jobs list.
It makes sense since this a role you inherit and not a group you get assigned to. I guess what i'm really wishing is group functionality...

0 Karma
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...