Search usage/quota on views

pchadwick · ‎06-03-2010

Hi, I'm fairly new to splunk and just built my first view. It has 7 panels with small searches (timeframe & criteria etc) behind each. Under the standard user account I keep getting "Your maximum number of concurrent searches has been reached. usage=3 quota=3 The search was not run" error. I don't get it under admin user Is there a parameter for the user role that I need to change to allow this to run ?

Cheers.

Lowell · ‎06-03-2010

You have two different options.

Use scheduled saved searches

You can setup some or all of your searches as saved searches and then schedule them to run. You will need to do this for at least 4 of your searches so that you'll be within the existing 3 search limit:

Pros: The saved searches will load and display faster.

Cons: The search data will be less up to date, and if you don't frequently access the view then you will have the overhead of running a bunch of searches regularly that you don't frequently need.

Up the max-search limit

You can change the role limit in the config files by adding a role-level entry. Here is an example that that gives the 'user' role 7 concurrent searches.

$SPLUNK_HOME/etc/system/local/authorize.conf

[role_user]
srchJobsQuota = 7

Pros: Easy change to make.

Cons: Allowing many users to run many searches concurrently can lead to performance issues.

You also have the option of using a combination of these approaches. For example, set srchJobsQuota=5 and schedule 2 saved searches.

pchadwick · ‎06-07-2010

Thank you. This is just what I wanted to know.