- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Restrict users to fire complex query | force kill ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrict users to fire complex query | force kill the complex query !
Background :
I am using Splunk verion 4.3.3 , having 4 indexer with 1 Search head and using the default configurations for limits.conf.
OS : RHEL 6
Subnet : logging
HDD 1 : 40
HDD 2: 100
Memory : 16
CPU cores :4
By default settings my search head is capable of doing 4 concurrent searches. (as recommended by splunk)
However often i am getting maximum historical search limit is reached. and this is quite annoying for my users.
Suggest me a best idea to resolve this, (something from my readings , correct me if i am wrong below)
- Shall i tweak the default settings in limits.conf . How far this is recommended to localize this configuration file ?
- Shall i increase the no. of cores in Search head's CPU ?
- Do i need to go for multiple search heads ?
Can i try this ,
restrict the Splunk users triggering a complex query | or a query which fetches very old data .
Restrict features in TimeRange picker -remove "All Time" selection
However i wanted to limit the users from complex query. Is there any tricks ?
or any way to force the search query to show limited data , even though long time range is selected ?
Kindly advice.
Thanks,
Chimbu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Version 4.3.3 is no longer supported. I suggest upgrading both Splunk and the number of cores you have. The hardware specification requirements are here: http://docs.splunk.com/Documentation/Splunk/6.0.1/Installation/SystemRequirements#Recommended_hardwa...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then it needs to be set particular to the role in authorize.conf ,parameters like srchMaxTime,srchTimeWin,srchJobsQuota will help you restrict the users to have long queries. Regarding the complexity there are not many option if you don't have any static queries to allow them to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cant have savedseraches , since the searches are fired from some external componenets via REST API ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The message shows up because of the limitation on the roles for concurrent searches. You can have savedsearch to avoid this, or the maximum concurrent searches needs to be altered
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay , After I upgrade Splunk to its latest version .. Suggest me what action i can handle ?
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
