Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove real-time searches from Search and Home Page UI?

OMohi
Path Finder
‎10-06-2014 06:53 AM

I would like to remove real time searches from the Home Page and Search Panel on Splunk UI. I came across someone's opinion in removing real time searches from times.conf from the following path on Splunk:

SPLUNK_HOME/etc/default/times.conf

I have tried implementing that change where I had commented out the real time stanza portions from that times.conf file. The change was partly successfully as I was able to get all the real-time searches disabled, except for real-time ----> 24 hour window (real-time) from the panel. Could somebody suggest how to remove 24 hour window (real - time) from the panel?
This would be helpful as we cannot chase down clients who are using real time searches that is taxing Splunk performance slowness.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-06-2014 02:41 PM

Rather than editing the UI of Splunk itself, Splunk has built in methods on restricting real-time searches.

You can:

1.) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2.) Disable real-time search for particular roles and users.
3.) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4.) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

View solution in original post

Reply
Solved! Jump to solution

sherm77
Path Finder
‎02-11-2015 06:50 AM

If you are on 6.2.x, try this answer if you just want to turn off the automagic searches on the search home page:

http://answers.splunk.com/answers/103589/search-summary-page-automatically-runs-real-time-searches.h...

Reply
Solved! Jump to solution

greich
Communicator
‎10-26-2016 04:29 AM

this answers more accurately the question and does not involve restricting capabilities that might be required in a large context

0 Karma
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-06-2014 02:41 PM

Rather than editing the UI of Splunk itself, Splunk has built in methods on restricting real-time searches.

You can:

1.) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2.) Disable real-time search for particular roles and users.
3.) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4.) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...