We currently have an issue with our "nobody" user in splunk whom we assign all our scheduled reports to. we are reaching daily the disk quota limit and a lot of searches are getting skipped.
Message:
"The maximum disk usage quota for this user has been reached."
Now I want to increase the "srchDiskQuota" in the authorize.conf. But having two questions:
1. Is it correct that if we want to assign anything to the "nobody" user we need to do this for [default] since the "nobody" user isnt assigned to any role? Or is the user actually part of the role "splunk-system-role"?
2. How can I find out what would be my maximum setting for the "srchDiskQuota" to not brake my system?
Thanks for a short feedback.
I recommend creating a role and account only for running scheduled searches. Don't use 'nobody'. Having a role just for scheduled searches makes it much easier to manage the resources it can use.