- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: How to put the search memory limit for a parti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We are seeing high memory usage from certain set of people. We wanted to limit their search memory usage.
Is it possible to make changes in limits.conf and target to only specific role in splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the setting is in authorize.conf
use this example:
[role_ninja]
rtsearch = disabled
importRoles = user
srchFilter = something=something
srchIndexesAllowed = *
srchIndexesDefault = mail;main
srchJobsQuota = 8
rtSrchJobsQuota = 8
srchDiskQuota = 50
read here:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Security/Addandeditroleswithauthorizeconf
and in more detail here:
https://docs.splunk.com/Documentation/ITSI/4.3.1/Configure/authorize.conf
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the setting is in authorize.conf
use this example:
[role_ninja]
rtsearch = disabled
importRoles = user
srchFilter = something=something
srchIndexesAllowed = *
srchIndexesDefault = mail;main
srchJobsQuota = 8
rtSrchJobsQuota = 8
srchDiskQuota = 50
read here:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Security/Addandeditroleswithauthorizeconf
and in more detail here:
https://docs.splunk.com/Documentation/ITSI/4.3.1/Configure/authorize.conf
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AFAIK, that setting is instance/cluster specific and can not be setup for specific roles. Why not apply the limit to all users? (guessing high usage is slowing/crashing your Splunk servers, so applying the limit to all users would probably be more helpful)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2, Please suggest how can we set instance/cluster specific for all users?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
per my reseach, this is the process where you setup the limits to the entire splunk environent
limits.conf definition
enable_memory_tracker =
* Specifies if the memory tracker is enabled.
* When set to "false" (disabled): The search is not terminated even if
the search exceeds the memory limit.
* When set to "true": Enables the memory tracker.
* Must be set to "true" to enable the "search_process_memory_usage_threshold"
setting or the "search_process_memory_usage_percentage_threshold" setting.
* Default: false
search_process_memory_usage_threshold =
* To use this setting, the "enable_memory_tracker" setting must be set
to "true".
* Specifies the maximum memory, in MB, that the search process can consume
in RAM.
* Search processes that violate the threshold are terminated.
* If the value is set to 0, then search processes are allowed to grow
unbounded in terms of in memory usage.
* Default: 4000 (4GB)
search_process_memory_usage_percentage_threshold =
* To use this setting, the "enable_memory_tracker" setting must be set
to "true".
* Specifies the percent of the total memory that the search process is
entitled to consume.
* Search processes that violate the threshold percentage are terminated.
* If the value is set to zero, then splunk search processes are allowed to
grow unbounded in terms of percentage memory usage.
* Any setting larger than 100 or less than 0 is discarded and the default
value is used.
* Default: 25%
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
