I am looking into the feasibility of opening up REST api calls to our Splunk deployment. One of the concerns is if we would have the ability to limit how many requests are allowed. I have not been able to find any documentation indicating a way to restrict it such that an authorized user could only do 100, or a 1000 or whatever arbitrary number of searches or other requests. Is this possible?
The REST Api calls can be limited based on the role assigned to the user/account used to make the calls. So just make sure that you're putting necessary quota restriction for the role that your REST Api user aligned with.
Thank you for the reply. When I look at the role limitations I see a maximum number of concurrent searches, which is useful, but I would also like to cap them for total searches per hour for example. Is there any way to limit like that?
It would've been great if we could restrict it based on total number of searches for a time range, but it's not available. You can use combination of srchJobsQuota (concurrent searches) and srchDiskQuota (maximum disk space usage) so that impact of too many searches could be reduced. (Things will either queued [if concurrent search limit is reached] OR will be auto-finalized [if disk quota is reached]).