Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The splunk-system-user is hitting a quota limit. How do I increase the quota for this user?

the_wolverine
Champion
‎04-13-2010 11:29 AM

I'm running summary searches and the splunk-system-user keeps hitting a quota limit. 

  04-12-2010 16:50:28.436 ERROR SavedSplunker - 
  Maximum disk usage=10422MB quota=10000MB, reached. Search not executed. 
  SearchId=scheduler_nobody_myapp_custom_summary_searchname

I'm only running summary searches on this host so I want to give the splunk-system-user free reign. How can I increase the quota for just the splunk-system-user?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-13-2010 11:48 AM

Note that when scheduled search does not have an owner, it is run by splunk-system-user.

The splunk-system-user seems to have a hardcoded quota.

Therefore, you'll need to assign an owner/user to the scheduled search and specify a role for the user. This is because there isn't a way to set a per-user disk quota so you'll have to edit the role to increase this limit. Here are the defaults from $SPLUNK_HOME/etc/system/default/authorize.conf:

[role_admin]
srchDiskQuota = 10000

[role_power]
srchDiskQuota = 500

[role_user]
srchDiskQuota = 100

(System-wide default is 100 MB which will be applied to all roles where a srchDiskQuota is not specified)

Best way is probably to create a custom role and assign it to this user rather than edit the defaults for the canned roles. Create your custom role in $SPLUNK_HOME/etc/system/local/authorize.conf:

[role_quota]
srchDiskQuota = 5000

View solution in original post

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-13-2010 11:48 AM

Note that when scheduled search does not have an owner, it is run by splunk-system-user.

The splunk-system-user seems to have a hardcoded quota.

Therefore, you'll need to assign an owner/user to the scheduled search and specify a role for the user. This is because there isn't a way to set a per-user disk quota so you'll have to edit the role to increase this limit. Here are the defaults from $SPLUNK_HOME/etc/system/default/authorize.conf:

[role_admin]
srchDiskQuota = 10000

[role_power]
srchDiskQuota = 500

[role_user]
srchDiskQuota = 100

(System-wide default is 100 MB which will be applied to all roles where a srchDiskQuota is not specified)

Best way is probably to create a custom role and assign it to this user rather than edit the defaults for the canned roles. Create your custom role in $SPLUNK_HOME/etc/system/local/authorize.conf:

[role_quota]
srchDiskQuota = 5000
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...