Monitoring Splunk

How to fetch details when users exhaust Splunk search quota?


Hello All,

I need your help to write SPL for fetching details of events that occur when users reach or cross the threshold limit defined as per their role for executing Splunk searches.

Any information would be very helpful.

Thank you

Labels (3)
0 Karma


Information fetched so far: -

I asked it earlier on a separate forum and got following details from Jason Buxton: -

To get details of roles and and their configurations: -

|rest /services/authorization/roles splunk_server=local

To fetch my details: -

|rest /services/authentication/users splunk_server=local


I got following information from Miachael Camp Bentley: -

index=_internal reason=*

I tried to modify it as: -

index=_internal reason="*quota*"

 And I got output with string: - The maximum number of concurrent historical searches for this user based on their role quota has been reached.

Although there were many empty fields, I fetched data from below fields: -

* event_message

* _raw

* reason

* search_id

* splunk_server

* splunk_server_group


However, it would be helpful if you could guide on getting more details related to events and errors along with related attributes which occur when users exceed their search quota.

Thank you

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...