Re: How to fetch details when users exhaust Splunk...

Taruchit · ‎05-16-2023

Hello All,

I need your help to write SPL for fetching details of events that occur when users reach or cross the threshold limit defined as per their role for executing Splunk searches.

Any information would be very helpful.

Thank you

Taruchit · ‎05-16-2023

Information fetched so far: -

I asked it earlier on a separate forum and got following details from Jason Buxton: -

To get details of roles and and their configurations: -

|rest /services/authorization/roles splunk_server=local

To fetch my details: -

|rest /services/authentication/users splunk_server=local

I got following information from Miachael Camp Bentley: -

index=_internal reason=*

I tried to modify it as: -

index=_internal reason="*quota*"

And I got output with string: - The maximum number of concurrent historical searches for this user based on their role quota has been reached.

Although there were many empty fields, I fetched data from below fields: -

* event_message

* _raw

* reason

* search_id

* splunk_server

* splunk_server_group

However, it would be helpful if you could guide on getting more details related to events and errors along with related attributes which occur when users exceed their search quota.

Thank you

How to fetch details when users exhaust Splunk search quota?

other

resource usage

search performance

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life