Monitoring Splunk

How can I limit the sum of concurrent searches done by a group of users in Splunk?

jkst1972
Explorer

We have separate search head servers (separated from the index servers) and we would like to limit the sum of concurrent searches done from all the users from one department. The purpose is to make sure that all departments has a minimum of resources on the search head servers independent of the amount of search activity done by the other users. Is this possible in Splunk?

If this functionality isn’t available out of the box; any ideas/workarounds on how to solve this would be appreciated.

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

I'm not really sure, but I guess you could try to create different roles - one for each department - even if the actual capabilities for the roles are the same. Then you can set the maximum concurrent searches on a per role basis.

This is probably not how the roles were intended to be used, and you may have to alter the "max concurrent search jobs" setting for any inherited roles (such as the "user" role).

Note: I have not tried this, I am just guessing. Proceed with caution.

Kristian

0 Karma

jkst1972
Explorer

Thank you for answering; if I understand you correctly this is what I've tried before with the following dicovery: any person in the role will inherit the maximum concurrent search setting. So if I set the role to 5 max concurrent searches. Each and every user assigned this role will have 5 concurrent searches before the next one will be placed on wait in the jobs list.
It makes sense since this a role you inherit and not a group you get assigned to. I guess what i'm really wishing is group functionality...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...