Hi,
Is there a setting to limit max runtime for a search? I don't see anything obvious.
Yes, srchMaxTime in authorize.conf for the role you want to limit to.
srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Authorizeconf
Yes, srchMaxTime in authorize.conf for the role you want to limit to.
srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Authorizeconf
This answer is correct but do keep in mind that it's subtle when a scheduled search is auto-finalized (time limited), the GUI (at least in Splunk 7.0.x) doesn't make it super-obvious that a search has been auto-finalized.
You can see it via the gap in the timeline and also if you check the inspect job button or the info messages...in a scheduled search it is hidden within files in the dispatch directory so it's even less obvious that the auto-finalization occurred.
Bingo. So you very much introduce a situation where a user may think the search is complete and draw conclusions from the result but in reality the data set is incomplete. This is esp hard if on a dashboard.
Thanks! I assumed it was in the roles gui.