Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove real-time searches from Search and Home Page UI?

OMohi
Path Finder
‎10-06-2014 06:53 AM

I would like to remove real time searches from the Home Page and Search Panel on Splunk UI. I came across someone's opinion in removing real time searches from times.conf from the following path on Splunk:

SPLUNK_HOME/etc/default/times.conf

I have tried implementing that change where I had commented out the real time stanza portions from that times.conf file. The change was partly successfully as I was able to get all the real-time searches disabled, except for real-time ----> 24 hour window (real-time) from the panel. Could somebody suggest how to remove 24 hour window (real - time) from the panel?
This would be helpful as we cannot chase down clients who are using real time searches that is taxing Splunk performance slowness.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-06-2014 02:41 PM

Rather than editing the UI of Splunk itself, Splunk has built in methods on restricting real-time searches.

You can:

1.) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2.) Disable real-time search for particular roles and users.
3.) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4.) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

View solution in original post

Reply
Solved! Jump to solution

sherm77
Path Finder
‎02-11-2015 06:50 AM

If you are on 6.2.x, try this answer if you just want to turn off the automagic searches on the search home page:

http://answers.splunk.com/answers/103589/search-summary-page-automatically-runs-real-time-searches.h...

Reply
Solved! Jump to solution

greich
Communicator
‎10-26-2016 04:29 AM

this answers more accurately the question and does not involve restricting capabilities that might be required in a large context

0 Karma
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-06-2014 02:41 PM

Rather than editing the UI of Splunk itself, Splunk has built in methods on restricting real-time searches.

You can:

1.) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2.) Disable real-time search for particular roles and users.
3.) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4.) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...