Deployment Architecture

How to put the search memory limit for a particular role?

saurabh0912
Path Finder

Hi,
We are seeing high memory usage from certain set of people. We wanted to limit their search memory usage.
Is it possible to make changes in limits.conf and target to only specific role in splunk?

0 Karma
1 Solution

adonio
Ultra Champion

the setting is in authorize.conf
use this example:

[role_ninja]
rtsearch = disabled
importRoles = user
srchFilter = something=something
srchIndexesAllowed = *
srchIndexesDefault = mail;main
srchJobsQuota   = 8
rtSrchJobsQuota = 8
srchDiskQuota   = 50

read here:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Security/Addandeditroleswithauthorizeconf

and in more detail here:
https://docs.splunk.com/Documentation/ITSI/4.3.1/Configure/authorize.conf

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

the setting is in authorize.conf
use this example:

[role_ninja]
rtsearch = disabled
importRoles = user
srchFilter = something=something
srchIndexesAllowed = *
srchIndexesDefault = mail;main
srchJobsQuota   = 8
rtSrchJobsQuota = 8
srchDiskQuota   = 50

read here:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Security/Addandeditroleswithauthorizeconf

and in more detail here:
https://docs.splunk.com/Documentation/ITSI/4.3.1/Configure/authorize.conf

hope it helps

0 Karma

somesoni2
Revered Legend

AFAIK, that setting is instance/cluster specific and can not be setup for specific roles. Why not apply the limit to all users? (guessing high usage is slowing/crashing your Splunk servers, so applying the limit to all users would probably be more helpful)

0 Karma

Chinna_nara
New Member

@somesoni2, Please suggest how can we set instance/cluster specific for all users?

0 Karma

ivanreis
Builder

per my reseach, this is the process where you setup the limits to the entire splunk environent

https://docs.splunk.com/Documentation/Splunk/7.3.2/Search/Limitsearchprocessmemoryusage#Enable_a_sea...

limits.conf definition
enable_memory_tracker =
* Specifies if the memory tracker is enabled.
* When set to "false" (disabled): The search is not terminated even if
the search exceeds the memory limit.
* When set to "true": Enables the memory tracker.
* Must be set to "true" to enable the "search_process_memory_usage_threshold"
setting or the "search_process_memory_usage_percentage_threshold" setting.
* Default: false

search_process_memory_usage_threshold =
* To use this setting, the "enable_memory_tracker" setting must be set
to "true".
* Specifies the maximum memory, in MB, that the search process can consume
in RAM.
* Search processes that violate the threshold are terminated.
* If the value is set to 0, then search processes are allowed to grow
unbounded in terms of in memory usage.
* Default: 4000 (4GB)

search_process_memory_usage_percentage_threshold =
* To use this setting, the "enable_memory_tracker" setting must be set
to "true".
* Specifies the percent of the total memory that the search process is
entitled to consume.
* Search processes that violate the threshold percentage are terminated.
* If the value is set to zero, then splunk search processes are allowed to
grow unbounded in terms of percentage memory usage.
* Any setting larger than 100 or less than 0 is discarded and the default
value is used.
* Default: 25%

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...