Splunk Search

What are best practices for creating a dashboard of saved searches without hitting the concurrent search quota per user?

Contributor

All,

I'd like to allow users to create a dashboard of saved searches without it counting towards their search quota. As it stands now, it seems like any dashboard will run the saved searches under the user account that created these saved searches.

For example, if Jon creates a dashboard comprised of saved searches that he wrote, then Smith opens the dashboard, it still counts towards Jon's search quota. At least that's what I'm seeing.

Is there any way around this issue? What's the best practice for handling this?

Thanks!

1 Solution

Motivator

Here are the few suggestions,

  1. Move the searches to admin / nobody level.
  2. Use search template to create dashboards - It will ensure the res-usability.
  3. If the above two steps not helps then increasing number of concurrent searches will be the only option.

Cheers.

View solution in original post

Motivator

You should also realize that if Jon creates the saved query and that saved query is put into a dashboard not only does this count against Jon's quota it is also run with Jon's permissions. This was a 6x thing that took us unawares as Splunk didn't, especially at first - believe has somewhat been addressed, handle this issue gracefully when the number of panels on the dashboard was greater than 2x the concurrent search quota.

Besides adjusting the saved search owner to a different role that has a higher concurrent search quota you could also convert the search to be inline. When the search is now run it is run with the quota and permissions of whoever is opening the dashboard. Another option if this is going to be a heavily used dashboard is schedule the search so that the dashboard uses the search artifacts vs running the searches each time someone opens/refreshes the dashboard.

Motivator

Here are the few suggestions,

  1. Move the searches to admin / nobody level.
  2. Use search template to create dashboards - It will ensure the res-usability.
  3. If the above two steps not helps then increasing number of concurrent searches will be the only option.

Cheers.

View solution in original post

Contributor

I've just increased the number of concurrent searches that a user is able to make, but I'd really like to hear what best practices (if any) others have come up with.

0 Karma