Splunk Search

How to remove real-time searches from Search and Home Page UI?

OMohi
Path Finder

I would like to remove real time searches from the Home Page and Search Panel on Splunk UI. I came across someone's opinion in removing real time searches from times.conf from the following path on Splunk:

SPLUNK_HOME/etc/default/times.conf

I have tried implementing that change where I had commented out the real time stanza portions from that times.conf file. The change was partly successfully as I was able to get all the real-time searches disabled, except for real-time ----> 24 hour window (real-time) from the panel. Could somebody suggest how to remove 24 hour window (real - time) from the panel?
This would be helpful as we cannot chase down clients who are using real time searches that is taxing Splunk performance slowness.

Tags (2)
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Rather than editing the UI of Splunk itself, Splunk has built in methods on restricting real-time searches.

You can:

1.) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2.) Disable real-time search for particular roles and users.
3.) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4.) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

View solution in original post

sherm77
Path Finder

If you are on 6.2.x, try this answer if you just want to turn off the automagic searches on the search home page:

http://answers.splunk.com/answers/103589/search-summary-page-automatically-runs-real-time-searches.h...

greich
Communicator

this answers more accurately the question and does not involve restricting capabilities that might be required in a large context

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Rather than editing the UI of Splunk itself, Splunk has built in methods on restricting real-time searches.

You can:

1.) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2.) Disable real-time search for particular roles and users.
3.) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4.) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...