Hi,
Is there a way to limit how long a real-time search can run? I have customers firing them up (legitimately) and then walking away.
Documentation about the subject at How to restrict usage of real-time search
At the role level you can set some restrictions -
Upvoted because this is the most appropriate answer to your specific question - although I'm also more of a fan of limiting user capabilities and only promoting users into power user roles where they can do advanced things like rtsearch.
We can talk offline about ways to implement this and how to convert existing rtsearch panels accordingly.
Exhibit A for why RT searches are terrible. I've banned them entirely from my environment. A dashboard with a panel that refreshes every 30s (or even 10s) is preferable IMO.
authorize.conf:
[default]
rtsearch = disabled
I don't think there is such limit to aumatically finalize/kill real-time search process. You'd need to setup some custom alerts to get list of currently running real-time search and if the duration is more that your threshold, kill it.