Splunk Search

Set max concurrent search for a particular saved search

Explorer

Hello community and experts,

Is it possible to set a max concurrent search for a particular saved search?

The use case is that:

  • We have an external system which APIs into Splunk to run a saved search
  • This saved search searches a particular KV Store, return records and update those records
  • There are two instances of this external system
  • We don't want two instances of the external system to access to the KV Store at the same time
  • If we can set a max concurrent search on this particular saved search, we'd set it to 1

Your feedback would be greatly appreciated!

Thanks in advance!

Labels (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust
Probably add also this rtSrchJobsQuota=0 to ensure that no real-time queries is not try to use with this user (with rest, those cannot use anyhow).

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Not directly, but...

Could you set that API to use a user/role that's specific to it and set that role's concurrent search limit to 1?

Explorer

Thanks @Richfez for your advice!

 

Yes, we can create a particular Splunk user and a particular role for this purpose.

Is it possible to specify a concurrent search to a role? would you please be kind enough to point me to relevant splunk doc?

0 Karma

SplunkTrust
SplunkTrust
All capabilities are set to role and then role has given to user/group of users. You can see that on https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Authorizeconf
r. Ismo
0 Karma

Explorer

Thanks @soutamo  for your further inputs!

So, if I want a particular API user to be able to run only 1 concurrent search, then I would create a custom role with srchJobsQuota=1 and assign this role to the API user - - - did I get it right?

0 Karma

SplunkTrust
SplunkTrust
Probably add also this rtSrchJobsQuota=0 to ensure that no real-time queries is not try to use with this user (with rest, those cannot use anyhow).

View solution in original post

0 Karma

Explorer

thanks @soutamo !

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!