Background :
I am using Splunk verion 4.3.3 , having 4 indexer with 1 Search head and using the default configurations for limits.conf.
OS : RHEL 6
Subnet : logging
HDD 1 : 40
HDD 2: 100
Memory : 16
CPU cores :4
By default settings my search head is capable of doing 4 concurrent searches. (as recommended by splunk)
However often i am getting maximum historical search limit is reached. and this is quite annoying for my users.
Suggest me a best idea to resolve this, (something from my readings , correct me if i am wrong below)
Shall i tweak the default settings in
limits.conf . How far this is
recommended to localize this
configuration file ?
Shall i increase the no. of cores in
Search head's CPU ?
Do i need to go for multiple search
heads ?
Can i try this ,
restrict the Splunk users triggering a complex query | or a query which fetches very old data .
Restrict features in TimeRange picker -remove "All Time" selection
However i wanted to limit the users from complex query. Is there any tricks ?
or any way to force the search query to show limited data , even though long time range is selected ?
Kindly advice.
Thanks,
Chimbu
... View more