Hi Everyone,
Looks for a few best practices or suggestions. I have installed search term restrictions based on a users role. All my dashboards and views are being produced by summary index's. But even while doing this I have seen a significant performance decrease since implementing this.
Does anyone have any experience with this or best practices to share?
Thanks
Rather than limiting search term , a role with specific index access will be a good practice.
I try to not use search term limits because it means that anything that user does at all is prepended with those search terms. This adds complexity and CPU/RAM overhead to every single operation, including saved searches run as that user.
If possible, remove access for that role for regular indexes and only allow it to look at the summary indexes. If that isn't possible or you are still seeing performance issues, you may want to either populate a new index just for this specific role (either from the original data or from the current summary index by using your search term restrictions only and sending everything else via collect to another summary index). Then you can remove the search term restrictions and only provide access for those accounts under that role to that single summary index.
Optionally, spin up a search head on a VM, create the new summary index on it and toss this role on it so it only has access to that subset of data.
Lastly, throw more hardware at the problem by upgrading or replacing the indexer in question.
I've done most of the above solutions in some form or another, including more hardware and search heads (my favorite scalable solution).