I am not searching anything why above message display very frequently?
While I have deleted all saved search.
Some of real time search will be run whenever you view the top of the search App. And I guess some saved search still remains so that you wee the warning.
Is there any parameter to configure anywhere in Splunk in order to fix this problem or stop showing this message?
This is ok now. the procedures to fix that are below...
$ sudo touch $SPLUNKHOME/etc/system/local/limits.conf
$ sudo vim $SPLUNKHOME/etc/system/local/limits.conf
$ sudo $SPLUNK_HOME/bin/splunk restart
Shutting down. Please wait, as this may take a few minutes.
Stopping splunk helpers...
Splunk> Take the sh out of IT.
Checking http port : open
Checking mgmt port : open
Checking configuration... Done.
Checking index directory...
Validated databases: audit _blocksignature _internal _thefishbucket appmgmt blackberry history main msexchange perfmon sos sossummarydaily summary summaryforwarders summaryhosts summaryindexers summarypools summarysources summary_sourcetypes
Checking conf files for typos...
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Starting splunkweb... Done.
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com/Documentation/Splunk
The Splunk web interface is at http://myhost:8000
does this error affect anything or can it be easily ignored?
Thank you, Sir! Worked like a charm. Now to make sure I don't overload my server with too many real-time alerts 🙂
This is more than a little dated, and the way these configurations work has changed in 5 years.
Do NOT use these settings in limits.conf
The error message will go away, but plenty of new pain will result.
I downvoted this post because this is very dated information, and no longer valid and may result in a seriously broken environment. please do not set settings this high without consultation.