Getting Data In

How to limit REST API searches in Splunk deployment?

Path Finder

I am looking into the feasibility of opening up REST api calls to our Splunk deployment. One of the concerns is if we would have the ability to limit how many requests are allowed. I have not been able to find any documentation indicating a way to restrict it such that an authorized user could only do 100, or a 1000 or whatever arbitrary number of searches or other requests. Is this possible?

Thanks.

SplunkTrust
SplunkTrust

The REST Api calls can be limited based on the role assigned to the user/account used to make the calls. So just make sure that you're putting necessary quota restriction for the role that your REST Api user aligned with.

Path Finder

Thank you for the reply. When I look at the role limitations I see a maximum number of concurrent searches, which is useful, but I would also like to cap them for total searches per hour for example. Is there any way to limit like that?

0 Karma

SplunkTrust
SplunkTrust

It would've been great if we could restrict it based on total number of searches for a time range, but it's not available. You can use combination of srchJobsQuota (concurrent searches) and srchDiskQuota (maximum disk space usage) so that impact of too many searches could be reduced. (Things will either queued [if concurrent search limit is reached] OR will be auto-finalized [if disk quota is reached]).

Path Finder

Excellent! Thank you for sharing that information.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!