Is there a way to tell which users are hitting their search limits? I've looked for these events in the internal indexes but cant find them. Maybe a rest search?
Please use the below search. you should be able to see the reached limit messages for both user & role assuming someone is hitting the limit.
index=_internal sourcetype=splunkd component=DispatchManager
-- Hope this helps.
Please use the below search. you should be able to see the reached limit messages for both user & role assuming someone is hitting the limit.
index=_internal sourcetype=splunkd component=DispatchManager
-- Hope this helps.