Splunk Search

Can a particular user or role ignore the limits.conf max_searches_per_cpu setting?

marco_sulla
Path Finder

Is there a way to bypass max_searches_per_cpu setting (in limits.conf) for a given user or role?

I need to to this for a user that is deputed to data import (the data import work consists also in splunk searches)

0 Karma
1 Solution

masonmorales
Influencer

You probably don't want to change max_searches_per_cpu in limits.conf because it would be a global change and could have a detrimental impact to performance.

I think you're asking how to bypass the concurrent search limit for a user or a role, right? You can create a new role in Splunk Web (under Access Controls), set the "Role-level concurrent search jobs limit" to 100, "User-level concurrent search jobs limit" to 100, save the role, and then add that user to the new role you created.

View solution in original post

0 Karma

masonmorales
Influencer

You probably don't want to change max_searches_per_cpu in limits.conf because it would be a global change and could have a detrimental impact to performance.

I think you're asking how to bypass the concurrent search limit for a user or a role, right? You can create a new role in Splunk Web (under Access Controls), set the "Role-level concurrent search jobs limit" to 100, "User-level concurrent search jobs limit" to 100, save the role, and then add that user to the new role you created.

View solution in original post

0 Karma

marco_sulla
Path Finder

The "data import" user has already an admin role, so its limits are much higher. I suppose max_searches_per_cpu has a much higher priority, and I'm searching a way to bypass it.

Yes, adding search headers is a good workaround, but it's not an optimal solution. This way is very simple to do a DDoS attack that will prevent data importing.

0 Karma

masonmorales
Influencer

Note: If you are maxing out cores, it's probably time to add indexers (so that searches complete faster), or add another search head if you have a lot of scheduled searches running all the time.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.