Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the max value for maxsearches? Is there a way to NOT have a max (set to 0 or -1)?

dougmartin
Path Finder
‎08-18-2015 10:58 AM

What is the max value for maxsearches? Is there a way to NOT have a max (set to 0 or -1)?

Tags (3)
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎08-18-2015 12:09 PM

You can adjust this, but the primary calculation is a practical limit on performance. This is controlled in limits.conf.

The maximum number of concurrent searches is calculated based on max_searches_per_cpu times the number of CPU cores in the system (as reported by the OS, which means VMs often lie when given multiple vCPUs but are running on a small number of hardware cores thanks to threading and shady hypervisor oversubscription models) + base_max_searches.

max_searches_per_cpu defaults to 1
base_max_searches defaults to 6

Therefore, in a reference system with 12 cores, you have 1 x 12 + 6 = 18.

If you need to crank this up, you can linearly scale this by core count using max_searches_per_cpu by setting it to 2 or more. This changes the math to be 2 x 12 + 6 = 30 or 3 x 12 + 6 = 42. If you just want to tweak it up by a fixed amount, adjust base_max_searches to a higher value.

All of the above comes with the caveat that generally these are bad ideas to implement in a production setting unless you have a highly underutilized system performing large numbers of extremely low memory and low CPU usage searches.

--
Jesse Trucks
Minister of Magic
Reply

biec1
Explorer
‎02-28-2017 11:45 PM

The following is the current configuration in our environment. We are getting max_concurrent limit reached on one of the three Search Heads for specific Saved Search. It does not happen on rest of the two Search Heads.
Search Head:- 3x16+10=58
Search Peer :- 1x20+6=26

Is it necessary to maintain identical parameters on both Search peers and Search heads?
Shall i increase max_searches_per_cpu on Search Peers from 1 to 2?

0 Karma
Reply
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...