Security

Should I grant all users schedule search permissions or not?

Contributor

Since normal users by default do not have the right to create alerts, I guess there is a good reason for it. Could it create unnecessary load on the server if the end users create whatever they want?

So, is the best option for normal users to ask for the alert to be created by administrator/power users?

0 Karma

SplunkTrust
SplunkTrust

@rune.hellem,

Yes, you are right. There is a good reason behind that.

Referring to the Configure the priority of scheduled reports ,the main factor is CPU. Splunk Documentation states:

Splunk software determines its system-wide concurrent historical search limit through a calculation where the primary variable is the number of CPUs in the deployment. The calculation includes two parameters that are defined in "limits.conf" in the Admin Manual:

max_searches_per_cpu is the maximum number of concurrent historical searches allowed per CPU. Defaults to 1.
base_max_searches is a baseline constant to add to the maximum number of searches, computed as a multiplier of the CPUs. Defaults to 6.
The calculation is as follows:
System-wide maximum number of concurrent historical searches = (max_searches_per_cpu x number of CPUs) + base_max_searches
If your system has one CPU, you can concurrently run a maximum of 7 historical searches ((1 x 1) + 6 = 7).

Also, refer to this Impact of concurrent users and searches
Obviously you can change the limits but Caution: If you have Splunk Enterprise, do not change limits.conf settings unless you know what you are doing.

So it's always good to have a control over the number of scheduled searches running unless you have unlimited system resources and very less number of users 🙂

0 Karma