Deployment Architecture
Highlighted

How to put the search memory limit for a particular role?

Path Finder

Hi,
We are seeing high memory usage from certain set of people. We wanted to limit their search memory usage.
Is it possible to make changes in limits.conf and target to only specific role in splunk?

0 Karma
Highlighted

Re: How to put the search memory limit for a particular role?

SplunkTrust
SplunkTrust

AFAIK, that setting is instance/cluster specific and can not be setup for specific roles. Why not apply the limit to all users? (guessing high usage is slowing/crashing your Splunk servers, so applying the limit to all users would probably be more helpful)

0 Karma
Highlighted

Re: How to put the search memory limit for a particular role?

New Member

@somesoni2, Please suggest how can we set instance/cluster specific for all users?

0 Karma
Highlighted

Re: How to put the search memory limit for a particular role?

Builder

per my reseach, this is the process where you setup the limits to the entire splunk environent

https://docs.splunk.com/Documentation/Splunk/7.3.2/Search/Limitsearchprocessmemoryusage#Enable_a_sea...

limits.conf definition
enablememorytracker =
* Specifies if the memory tracker is enabled.
* When set to "false" (disabled): The search is not terminated even if
the search exceeds the memory limit.
* When set to "true": Enables the memory tracker.
* Must be set to "true" to enable the "searchprocessmemoryusagethreshold"
setting or the "searchprocessmemoryusagepercentage_threshold" setting.
* Default: false

searchprocessmemoryusagethreshold =
* To use this setting, the "enablememorytracker" setting must be set
to "true".
* Specifies the maximum memory, in MB, that the search process can consume
in RAM.
* Search processes that violate the threshold are terminated.
* If the value is set to 0, then search processes are allowed to grow
unbounded in terms of in memory usage.
* Default: 4000 (4GB)

searchprocessmemoryusagepercentagethreshold =
* To use this setting, the "enable
memory_tracker" setting must be set
to "true".
* Specifies the percent of the total memory that the search process is
entitled to consume.
* Search processes that violate the threshold percentage are terminated.
* If the value is set to zero, then splunk search processes are allowed to
grow unbounded in terms of percentage memory usage.
* Any setting larger than 100 or less than 0 is discarded and the default
value is used.
* Default: 25%

0 Karma
Highlighted

Re: How to put the search memory limit for a particular role?

SplunkTrust
SplunkTrust

the setting is in authorize.conf
use this example:

[role_ninja]
rtsearch = disabled
importRoles = user
srchFilter = something=something
srchIndexesAllowed = *
srchIndexesDefault = mail;main
srchJobsQuota   = 8
rtSrchJobsQuota = 8
srchDiskQuota   = 50

read here:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Security/Addandeditroleswithauthorizeconf

and in more detail here:
https://docs.splunk.com/Documentation/ITSI/4.3.1/Configure/authorize.conf

hope it helps

View solution in original post

0 Karma