Hi, I'm fairly new to splunk and just built my first view. It has 7 panels with small searches (timeframe & criteria etc) behind each. Under the standard user account I keep getting "Your maximum number of concurrent searches has been reached. usage=3 quota=3 The search was not run" error. I don't get it under admin user Is there a parameter for the user role that I need to change to allow this to run ?
Cheers.
You have two different options.
You can setup some or all of your searches as saved searches and then schedule them to run. You will need to do this for at least 4 of your searches so that you'll be within the existing 3 search limit:
Pros: The saved searches will load and display faster.
Cons: The search data will be less up to date, and if you don't frequently access the view then you will have the overhead of running a bunch of searches regularly that you don't frequently need.
You can change the role limit in the config files by adding a role-level entry. Here is an example that that gives the 'user' role 7 concurrent searches.
$SPLUNK_HOME/etc/system/local/authorize.conf
[role_user]
srchJobsQuota = 7
Pros: Easy change to make.
Cons: Allowing many users to run many searches concurrently can lead to performance issues.
You also have the option of using a combination of these approaches. For example, set srchJobsQuota=5
and schedule 2 saved searches.
Thank you. This is just what I wanted to know.