Splunk Search

Concurrent search (user Vs system)



I have,

  • 1 search head (8 cores | 16Gb RAM)
  • 4 indexers (24 cores each | 32Gb RAM)

I calculated Sytem wide Concurrent search is ,

# the maximum number of concurrent searches per CPU 
max_searches_per_cpu = 1

# the base number of concurrent searches
base_max_searches = 6

# the total number of concurrent searches is base_max_searches + #cpus*max_searches_per_cpu

6+(8*1)=> 6+8 => 13 ---->(systm wide concurrent search)

I have limited 'user' role's concurrent search limit to '8'

I have both LDAP & Splunk authentication -

I am using Splunk 5.x and using the dafault limits.conf file

Queries :

  1. So, how does this takes effect , say for eg. 2 users under the role 'user' login to splunk and launches search query .. does each user can perform '8' searches ?
  2. When do splunk reaches system wide concurrent search limit ?
  3. How to calculate average time per search per user?
  4. How to differentiate this user & system wide concurrent search limit ?

Splunk Employee
Splunk Employee

There are three separate items in play here; the hardware limit, the User-level limit and the Role-level limit.

Your hardware limit will not change, if it can only handle 13 concurrent searches you will never be able to exceed this, regardless of what is applied to the user and role.

The User-level limit is the number of searches a single user with that role can run, If it is set to 8 any user with that role can run up to 8 searches before receiving limit warnings.

Now, there is also a Role-level limit. This is a shared limit between all users with that role. Lets say this is set to 10...

User A is running 5 concurrent searches, at the same time User B attempts to run 7 searches, both users have the permissions to do this, but User B will receive limit warnings because the total number of concurrent searches for the role has now exceeded 10, (5+7=12).


as per my understanding,
When User-1 runs 5 concurrent searches, User-2 can run only 3 concurrent searches (Since the allowed limit is 8 for user role), if the User-2 runs a 4th query he will get warning of maximum concurrent search limit reached.

Is that like first user alone can run 8 concurrent searches when no other user logged in ? when someother user runs a query , the limit is shared ?

Also, If User-1 already running 8 concurrent seaches , If he lauches a 9th query will he get a Warning ? or the query will be taken to account since the system wide limit is '13'?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!