https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490019#M83762 <P>A few things you can look at:<BR /> You can modify times.conf and verify users are not searching All time by default<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Timesconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Timesconf</A><BR /> <A href="https://answers.splunk.com/answers/79547/disable-all-time.html">https://answers.splunk.com/answers/79547/disable-all-time.html</A></P> <P>Force users to specify indexes in their queries by verifying that "Indexes searched by default" for the role assigned to the users is NOT set to "All non-internal indexes"</P> <P>Verify that data is being distributed equally to indexers (more or less) otherwise the workload won't be evenly distributed and you'll be waiting longer for the query to complete if one indexer is doing most of the work. splunk_server is the field name representing the indexer that is hosting/serving the data.</P> <PRE><CODE>your base query | top 100 splunk_server </CODE></PRE> Thu, 26 Sep 2019 03:55:01 GMT bandit 2019-09-26T03:55:01Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490016#M83759 <P>Yesterday, one indexer got crashed due to a very badly developed dashboard - it instantly consumed all the memory of the indexer.</P> <P>Which quotas should we place in order to prevent such cases?</P> <P>Btw, it does seem that this particular indexer ran all or most of the queries of this dashboard, which is weird. </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7732i44228E0DC2827D1D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 25 Sep 2019 15:27:21 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490016#M83759 danielbb 2019-09-25T15:27:21Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490017#M83760 <P>Have a look at this:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/Limitsearchprocessmemoryusage">https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/Limitsearchprocessmemoryusage</A></P> Wed, 25 Sep 2019 18:40:23 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490017#M83760 somesoni2 2019-09-25T18:40:23Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490018#M83761 <P>That's great. Btw, what's the default max memory allocation per a search query?</P> Wed, 25 Sep 2019 20:58:54 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490018#M83761 danielbb 2019-09-25T20:58:54Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490019#M83762 <P>A few things you can look at:<BR /> You can modify times.conf and verify users are not searching All time by default<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Timesconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Timesconf</A><BR /> <A href="https://answers.splunk.com/answers/79547/disable-all-time.html">https://answers.splunk.com/answers/79547/disable-all-time.html</A></P> <P>Force users to specify indexes in their queries by verifying that "Indexes searched by default" for the role assigned to the users is NOT set to "All non-internal indexes"</P> <P>Verify that data is being distributed equally to indexers (more or less) otherwise the workload won't be evenly distributed and you'll be waiting longer for the query to complete if one indexer is doing most of the work. splunk_server is the field name representing the indexer that is hosting/serving the data.</P> <PRE><CODE>your base query | top 100 splunk_server </CODE></PRE> Thu, 26 Sep 2019 03:55:01 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490019#M83762 bandit 2019-09-26T03:55:01Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490020#M83763 <P>@somesoni2 - I see these values on the indexers -</P> <PRE><CODE>$SPLUNK_HOME/etc/system/default/limits.conf - enable_memory_tracker = false $SPLUNK_HOME/etc/system/default/limits.conf - search_process_memory_usage_percentage_threshold = 25 $SPLUNK_HOME/etc/system/default/limits.conf - search_process_memory_usage_threshold = 4000 </CODE></PRE> <P>Should we change these values on the indexers and on the SHs as well?</P> Fri, 27 Dec 2019 16:12:20 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-proper-user-quotas-to-protect-our-indexers/m-p/490020#M83763 danielbb 2019-12-27T16:12:20Z