Solved: Re: Simultaneous queries/jobs limit

sranga · ‎08-31-2010

Hi

I was wondering if there is a limit on the count of simultaneous queries/searches/jobs executed in a Splunk instance.

Would saved searches count towards this limit (if there is one)?
Appreciate your help.

-Ranga

Stephen_Sorkin · ‎08-31-2010

Yes, there is a limit and it's configurable in limits.conf in:

[search]
# the maximum number of concurrent searches per CPU 
max_searches_per_cpu = 4

# the base number of concurrent searches
base_max_searches = 4

# max real-time searches = max_rt_search_multiplier x max historical searches
max_rt_search_multiplier = 3

# the total number of concurrent searches is base_max_searches + #cpus*max_searches_per_cpu

A separate per-user limit exists in authorize.conf in:

[role_<role>]
srchDiskQuota = <number>
    * Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role
    * Defaults to '100', for 100 MB.

srchJobsQuota = <number>
    * Maximum number of concurrently running historical searches a member of this role can have (excludes real-time searches, see rtSrchJobsQuota)
    * Defaults to 3

Saved searches count towards this limit, but they have a stricter quota expressed as a percent of the system-wide quota in limits.conf:

[scheduler]
# the maximum number of searches the scheduler can run, as a percentage
# of the maximum number of concurrent searches 
max_searches_perc  = 25

There is also a per-savedsearch concurrent limit which defaults to 1 and is set per-search in savedsearches.conf:

[<search_name>]
max_concurrent = <int>
    * The maximum number of concurrent instances of this search the scheduler 
    * is allowed to run. 
    * Defaults to 1

View solution in original post

Stephen_Sorkin · ‎08-31-2010

Yes, there is a limit and it's configurable in limits.conf in:

[search]
# the maximum number of concurrent searches per CPU 
max_searches_per_cpu = 4

# the base number of concurrent searches
base_max_searches = 4

# max real-time searches = max_rt_search_multiplier x max historical searches
max_rt_search_multiplier = 3

# the total number of concurrent searches is base_max_searches + #cpus*max_searches_per_cpu

A separate per-user limit exists in authorize.conf in:

[role_<role>]
srchDiskQuota = <number>
    * Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role
    * Defaults to '100', for 100 MB.

srchJobsQuota = <number>
    * Maximum number of concurrently running historical searches a member of this role can have (excludes real-time searches, see rtSrchJobsQuota)
    * Defaults to 3

Saved searches count towards this limit, but they have a stricter quota expressed as a percent of the system-wide quota in limits.conf:

[scheduler]
# the maximum number of searches the scheduler can run, as a percentage
# of the maximum number of concurrent searches 
max_searches_perc  = 25

There is also a per-savedsearch concurrent limit which defaults to 1 and is set per-search in savedsearches.conf:

[<search_name>]
max_concurrent = <int>
    * The maximum number of concurrent instances of this search the scheduler 
    * is allowed to run. 
    * Defaults to 1

sranga · ‎08-31-2010

Hi Stephen. Thanks for the answer. Is there a "physical" limit or a "recommended" limit for these configurable values depending on the hardware being used?

Simultaneous queries/jobs limit

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases