We have separate search head servers (separated from the index servers) and we would like to limit the sum of concurrent searches done from all the users from one department. The purpose is to make sure that all departments has a minimum of resources on the search head servers independent of the amount of search activity done by the other users. Is this possible in Splunk?
If this functionality isn’t available out of the box; any ideas/workarounds on how to solve this would be appreciated.
I'm not really sure, but I guess you could try to create different roles - one for each department - even if the actual capabilities for the roles are the same. Then you can set the maximum concurrent searches on a per role basis.
This is probably not how the roles were intended to be used, and you may have to alter the "max concurrent search jobs" setting for any inherited roles (such as the "user" role).
Note: I have not tried this, I am just guessing. Proceed with caution.
Thank you for answering; if I understand you correctly this is what I've tried before with the following dicovery: any person in the role will inherit the maximum concurrent search setting. So if I set the role to 5 max concurrent searches. Each and every user assigned this role will have 5 concurrent searches before the next one will be placed on wait in the jobs list.
It makes sense since this a role you inherit and not a group you get assigned to. I guess what i'm really wishing is group functionality...