Splunk Search

Simultaneous queries/jobs limit

sranga
Path Finder

Hi

I was wondering if there is a limit on the count of simultaneous queries/searches/jobs executed in a Splunk instance.

Would saved searches count towards this limit (if there is one)?
Appreciate your help.

-Ranga

Tags (3)
0 Karma
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

Yes, there is a limit and it's configurable in limits.conf in:

[search]
# the maximum number of concurrent searches per CPU 
max_searches_per_cpu = 4

# the base number of concurrent searches
base_max_searches = 4

# max real-time searches = max_rt_search_multiplier x max historical searches
max_rt_search_multiplier = 3

# the total number of concurrent searches is base_max_searches + #cpus*max_searches_per_cpu

A separate per-user limit exists in authorize.conf in:

[role_<role>]
srchDiskQuota = <number>
    * Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role
    * Defaults to '100', for 100 MB.

srchJobsQuota = <number>
    * Maximum number of concurrently running historical searches a member of this role can have (excludes real-time searches, see rtSrchJobsQuota)
    * Defaults to 3

Saved searches count towards this limit, but they have a stricter quota expressed as a percent of the system-wide quota in limits.conf:

[scheduler]
# the maximum number of searches the scheduler can run, as a percentage
# of the maximum number of concurrent searches 
max_searches_perc  = 25

There is also a per-savedsearch concurrent limit which defaults to 1 and is set per-search in savedsearches.conf:

[<search_name>]
max_concurrent = <int>
    * The maximum number of concurrent instances of this search the scheduler 
    * is allowed to run. 
    * Defaults to 1

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

Yes, there is a limit and it's configurable in limits.conf in:

[search]
# the maximum number of concurrent searches per CPU 
max_searches_per_cpu = 4

# the base number of concurrent searches
base_max_searches = 4

# max real-time searches = max_rt_search_multiplier x max historical searches
max_rt_search_multiplier = 3

# the total number of concurrent searches is base_max_searches + #cpus*max_searches_per_cpu

A separate per-user limit exists in authorize.conf in:

[role_<role>]
srchDiskQuota = <number>
    * Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role
    * Defaults to '100', for 100 MB.

srchJobsQuota = <number>
    * Maximum number of concurrently running historical searches a member of this role can have (excludes real-time searches, see rtSrchJobsQuota)
    * Defaults to 3

Saved searches count towards this limit, but they have a stricter quota expressed as a percent of the system-wide quota in limits.conf:

[scheduler]
# the maximum number of searches the scheduler can run, as a percentage
# of the maximum number of concurrent searches 
max_searches_perc  = 25

There is also a per-savedsearch concurrent limit which defaults to 1 and is set per-search in savedsearches.conf:

[<search_name>]
max_concurrent = <int>
    * The maximum number of concurrent instances of this search the scheduler 
    * is allowed to run. 
    * Defaults to 1

sranga
Path Finder

Hi Stephen. Thanks for the answer. Is there a "physical" limit or a "recommended" limit for these configurable values depending on the hardware being used?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...