Is there a parameter that limits the number of rea...

SplunkWestcon_2 · ‎04-04-2016

Hi

We are trying to alert based on different conditions for different application log data. We see in the activity that there are only 5-6 jobs running concurrently while we have 50 alerts configured. Cpu utilization on the search head is very minimum, Concurrent. Can you please tell me if there is parameter which puts a limit on the number or real-time alerts?

Thanks

yannK · ‎04-04-2016

yes. it's a mix of

the system limits (default is number for cores*1 + 6) and a multiplier for realtime (*1) > ( cpu * max_searches_per_cpu + base_max_searches ) * max_rt_search_multiplier

example : 32 cores search-head : (32 *1 +6 ) *1 = 38

and your role quota limit for realtime searches, and a multiplier for the scheduled searches.

quota limit rtSrchJobsQuota * max_searches_perc
example : for a role A: realtime limit 6 and scheduler multiplier 50% => 6 realtime alerts and 3 realtime scheduler max

see limits.conf http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Limitsconf

[search]
base_max_searches, max_searches_per_cpu, max_rt_search_multiplier
[scheduler]

max_searches_perc

and authorize.conf for the roles quotas. http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf
[role_*]
rtSrchJobsQuota

Is there a parameter that limits the number of real-time alerts?

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring

Join the Conversation

Is there a parameter that limits the number of real-time alerts?

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring