Splunk Search
Highlighted

How to remove real-time searches from Search and Home Page UI?

Path Finder

I would like to remove real time searches from the Home Page and Search Panel on Splunk UI. I came across someone's opinion in removing real time searches from times.conf from the following path on Splunk:

SPLUNK_HOME/etc/default/times.conf

I have tried implementing that change where I had commented out the real time stanza portions from that times.conf file. The change was partly successfully as I was able to get all the real-time searches disabled, except for real-time ----> 24 hour window (real-time) from the panel. Could somebody suggest how to remove 24 hour window (real - time) from the panel?
This would be helpful as we cannot chase down clients who are using real time searches that is taxing Splunk performance slowness.

Tags (2)
Highlighted

Re: How to remove real-time searches from Search and Home Page UI?

Splunk Employee
Splunk Employee

Rather than editing the UI of Splunk itself, Splunk has built in methods on restricting real-time searches.

You can:

1.) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2.) Disable real-time search for particular roles and users.
3.) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4.) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

View solution in original post

Highlighted

Re: How to remove real-time searches from Search and Home Page UI?

Path Finder

If you are on 6.2.x, try this answer if you just want to turn off the automagic searches on the search home page:

http://answers.splunk.com/answers/103589/search-summary-page-automatically-runs-real-time-searches.h...

Highlighted

Re: How to remove real-time searches from Search and Home Page UI?

Communicator

this answers more accurately the question and does not involve restricting capabilities that might be required in a large context

0 Karma