Monitoring Splunk

Role "restrict search terms" Performance Issue

behymejt2012
Path Finder

Hi Everyone,

Looks for a few best practices or suggestions. I have installed search term restrictions based on a users role. All my dashboards and views are being produced by summary index's. But even while doing this I have seen a significant performance decrease since implementing this.

Does anyone have any experience with this or best practices to share?

Thanks

Tags (2)

linu1988
Champion

Rather than limiting search term , a role with specific index access will be a good practice.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

I try to not use search term limits because it means that anything that user does at all is prepended with those search terms. This adds complexity and CPU/RAM overhead to every single operation, including saved searches run as that user.

If possible, remove access for that role for regular indexes and only allow it to look at the summary indexes. If that isn't possible or you are still seeing performance issues, you may want to either populate a new index just for this specific role (either from the original data or from the current summary index by using your search term restrictions only and sending everything else via collect to another summary index). Then you can remove the search term restrictions and only provide access for those accounts under that role to that single summary index.

Optionally, spin up a search head on a VM, create the new summary index on it and toss this role on it so it only has access to that subset of data.

Lastly, throw more hardware at the problem by upgrading or replacing the indexer in question.

I've done most of the above solutions in some form or another, including more hardware and search heads (my favorite scalable solution).

--
Jesse Trucks
Minister of Magic
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...