Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Concurrent search limits question

rgreer
Path Finder
‎01-08-2021 07:19 AM

We are currently evaluating Splunk's cloud offering and the topic of concurrent searches has come up.  This is a bit of a concern for our team as one of the things we'd like to leverage Splunk for is alerting for various systems throughout our environment.  We're expecting around 200+ various alerts running at various intervals.  I'm assuming that we cannot be the only folks wanting to utilize Splunk this way within the cloud.  

I wanted to ask the community if the concurrent limits within Splunk Cloud are ever really an issue.  We've gone round and round with our sells engineer on if this is an issue and he's mentioned that the solution will scale with the amount we index but we're not 100% convinced this solves the problem. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-09-2021 06:29 AM

Hi @rgreer,

Splunk Cloud manages resources according to ingestion capacity. You can check below documents and make a guess if concurrent limits will be an issue or not. While lower than 50 GB/day ingestion gives 20 concurrent searches, 50GB/day to 1TB/day your limits will start with 38. And if you are planning to use premium app like Enterprise Security or ITSI, you will have extra search capacity.

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Service/SplunkCloudservice#Splunk_Cloud_p...

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Service/SplunkCloudservice#Splunk_Cloud_s...

You should schedule 200+ various alerts carefully to have lower search concurrency. I mean schedules like every 5 min, every 10 min, every 15min etc will cause concurrency top at every beginning an hour. That is why using cron schedules like  "*/2 * * * *" or "1-59/2 * * * *" will help.

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

rgreer
Path Finder
‎01-11-2021 06:51 AM

Thanks, this is pretty much where I landed in my research. 

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-09-2021 06:29 AM

Hi @rgreer,

Splunk Cloud manages resources according to ingestion capacity. You can check below documents and make a guess if concurrent limits will be an issue or not. While lower than 50 GB/day ingestion gives 20 concurrent searches, 50GB/day to 1TB/day your limits will start with 38. And if you are planning to use premium app like Enterprise Security or ITSI, you will have extra search capacity.

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Service/SplunkCloudservice#Splunk_Cloud_p...

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Service/SplunkCloudservice#Splunk_Cloud_s...

You should schedule 200+ various alerts carefully to have lower search concurrency. I mean schedules like every 5 min, every 10 min, every 15min etc will cause concurrency top at every beginning an hour. That is why using cron schedules like  "*/2 * * * *" or "1-59/2 * * * *" will help.

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...