topic Re: Restrict users to fire complex query | force kill the complex query ! in Monitoring Splunk

Restrict users to fire complex query | force kill the complex query !

chimbudp — Mon, 06 Jan 2014 10:30:33 GMT

Background :

I am using Splunk verion 4.3.3 , having 4 indexer with 1 Search head and using the default configurations for limits.conf.

OS : RHEL 6

Subnet : logging

HDD 1 : 40

HDD 2: 100

Memory : 16

CPU cores :4

By default settings my search head is capable of doing 4 concurrent searches. (as recommended by splunk)
However often i am getting maximum historical search limit is reached. and this is quite annoying for my users.

Suggest me a best idea to resolve this, (something from my readings , correct me if i am wrong below)

Shall i tweak the default settings in limits.conf . How far this is recommended to localize this configuration file ?
Shall i increase the no. of cores in Search head's CPU ?
Do i need to go for multiple search heads ?

Can i try this ,

restrict the Splunk users triggering a complex query | or a query which fetches very old data .
Restrict features in TimeRange picker -remove "All Time" selection

However i wanted to limit the users from complex query. Is there any tricks ?
or any way to force the search query to show limited data , even though long time range is selected ?

Kindly advice.

Thanks,

Chimbu

Re: Restrict users to fire complex query | force kill the complex query !

alacercogitatus — Mon, 06 Jan 2014 13:28:15 GMT

Version 4.3.3 is no longer supported. I suggest upgrading both Splunk and the number of cores you have. The hardware specification requirements are here: http://docs.splunk.com/Documentation/Splunk/6.0.1/Installation/SystemRequirements#Recommended_hardware

Re: Restrict users to fire complex query | force kill the complex query !

chimbudp — Tue, 07 Jan 2014 00:50:46 GMT

Okay , After I upgrade Splunk to its latest version .. Suggest me what action i can handle ?

Re: Restrict users to fire complex query | force kill the complex query !

linu1988 — Tue, 07 Jan 2014 05:15:59 GMT

The message shows up because of the limitation on the roles for concurrent searches. You can have savedsearch to avoid this, or the maximum concurrent searches needs to be altered

Re: Restrict users to fire complex query | force kill the complex query !

chimbudp — Tue, 07 Jan 2014 05:31:44 GMT

I cant have savedseraches , since the searches are fired from some external componenets via REST API ...

Re: Restrict users to fire complex query | force kill the complex query !

linu1988 — Tue, 07 Jan 2014 06:51:04 GMT

Then it needs to be set particular to the role in authorize.conf ,parameters like srchMaxTime,srchTimeWin,srchJobsQuota will help you restrict the users to have long queries. Regarding the complexity there are not many option if you don't have any static queries to allow them to.