Splunk Search

customizing limits.conf for number of searches

mdmaala
Communicator

hi! I am currently creating a dashboard where I run a total of 14 concurrent real time searches. whenever I run the dashboard, the data shown in dashboard updates after 10 seconds, but that is too much delay for my requirement. Is it possible to edit the limits.conf file so that I will not experience delays as to the updating of my dashboard?

thank you so much!

0 Karma
1 Solution

adonio
Ultra Champion

Hello there,

i would suggest to get back to the drawing board and ask yourself the following questions:
1. why do i need a real time search?
2. do i really need all 14 searches?
3. is there any way i can consolidate those searches?
4. how can i work with my dashboard of 14 panel populating in real time?
5. are there 14 people looking at the dashboard every moment, one at each panel?

then you can consider many of Splunk great options to improve performance (alongside increasing CPU on your 2012 Server as appears from another question you asked: https://answers.splunk.com/answers/736703/splunk-reaching-max-number-of-concurrent-searches.html)

  1. Schedule Searches / reports
  2. dashboards base search
  3. how to consolidate searches or use split by (i am guessing here, you might be doing this already)

in any case, playing with limits.conf would be the last thing ill do, and only if no other option is working.
here is an answer that explains concurrent searches in detail. i also put the link in your other question

https://answers.splunk.com/answers/270544/how-to-calculate-splunk-search-concurrency-limit-f.html

hope it helps

View solution in original post

chrisyounger
SplunkTrust
SplunkTrust

Yes it is possible to edit limits.conf and change the max_base_searches. You can change base_max_searches to be higher. There are other settings too.

Now typically changing the search limits are a bad idea because they are there to protect you against bad performance. A better solution would be any of the following:
- Use a base search on your dashboard.
- Use a report acceleration
- Use a saved search
- and many more options here: https://conf.splunk.com/files/2017/slides/speed-up-your-searches.pdf

mdmaala
Communicator

thank you @chrisyoungerjds ! this is a big help!

0 Karma

adonio
Ultra Champion

Hello there,

i would suggest to get back to the drawing board and ask yourself the following questions:
1. why do i need a real time search?
2. do i really need all 14 searches?
3. is there any way i can consolidate those searches?
4. how can i work with my dashboard of 14 panel populating in real time?
5. are there 14 people looking at the dashboard every moment, one at each panel?

then you can consider many of Splunk great options to improve performance (alongside increasing CPU on your 2012 Server as appears from another question you asked: https://answers.splunk.com/answers/736703/splunk-reaching-max-number-of-concurrent-searches.html)

  1. Schedule Searches / reports
  2. dashboards base search
  3. how to consolidate searches or use split by (i am guessing here, you might be doing this already)

in any case, playing with limits.conf would be the last thing ill do, and only if no other option is working.
here is an answer that explains concurrent searches in detail. i also put the link in your other question

https://answers.splunk.com/answers/270544/how-to-calculate-splunk-search-concurrency-limit-f.html

hope it helps

mdmaala
Communicator

thanks you so much! yes I really need the 14 panels to monitor different parameters that is required for my dashboard. but this is of great help 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...