Splunk Search

User level Concurrent search limits

maniu1609
Path Finder

Hi Everyone,
On my system, I have 2 CPU cores
In $SPLUNKHOME/etc/system/local/limits.conf file I got below details,

max_searches_per_cpu = 1

the base number of concurrent searches

base_max_searches = 6

max real-time searches = max_rt_search_multiplier x max historical searches

max_rt_search_multiplier = 1

on search head, Access controls » Roles » demorole

User-level concurrent search jobs limit = 10

now, the demorole role will choose which option? 8 or 10?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

As you have 2 CPU cores only, you can maximum run 8 searches concurrently based on default settings. Due to resource limitation splunk will not hit User-level concurrent search jobs limit which is 10 in your case.

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

As you have 2 CPU cores only, you can maximum run 8 searches concurrently based on default settings. Due to resource limitation splunk will not hit User-level concurrent search jobs limit which is 10 in your case.

0 Karma

maniu1609
Path Finder

Thanks @harsmarvania57. So whatever role we create should have user-level concurrent search limit less than number of concurrent search defined in limits.conf. Correct me if my understanding is wrong. Also I have one more query here. Should we define limits.conf at search head or in indexer?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Even if you provide higher user-level concurrent search limit then also it will not take into effect because before splunk will hit user-level concurrent search limit, it will hit CPU resource limitation so yes set user-level concurrent search limit less than or equal to your CPU core (Calculation is max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches )

Do you want to change any parameter value in limits.conf ? If yes then it should be on Search Heads but if you want to run on default settings then you do not need to set anything, splunk will automatically take default config from $SPLUNK_HOME/etc/system/default/limits.conf

0 Karma

maniu1609
Path Finder

That's really great information. Thanks a lot @harsmarvania57

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

You are welcome

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...