Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit runtime for a search?

a212830
Champion
‎07-02-2018 07:25 AM

Hi,

Is there a setting to limit max runtime for a search? I don't see anything obvious.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎07-02-2018 07:33 AM

Yes, srchMaxTime in authorize.conf for the role you want to limit to.

srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Authorizeconf

View solution in original post

Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎07-02-2018 07:33 AM

Yes, srchMaxTime in authorize.conf for the role you want to limit to.

srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Authorizeconf

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎07-02-2018 04:12 PM

This answer is correct but do keep in mind that it's subtle when a scheduled search is auto-finalized (time limited), the GUI (at least in Splunk 7.0.x) doesn't make it super-obvious that a search has been auto-finalized.

You can see it via the gap in the timeline and also if you check the inspect job button or the info messages...in a scheduled search it is hidden within files in the dispatch directory so it's even less obvious that the auto-finalization occurred.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-03-2018 05:18 AM

Bingo. So you very much introduce a situation where a user may think the search is complete and draw conclusions from the result but in reality the data set is incomplete. This is esp hard if on a dashboard.

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎07-02-2018 07:49 AM

Thanks! I assumed it was in the roles gui.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...