- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- The splunk-system-user is hitting a quota limit. ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running summary searches and the splunk-system-user keeps hitting a quota limit.
04-12-2010 16:50:28.436 ERROR SavedSplunker -
Maximum disk usage=10422MB quota=10000MB, reached. Search not executed.
SearchId=scheduler_nobody_myapp_custom_summary_searchname
I'm only running summary searches on this host so I want to give the splunk-system-user free reign. How can I increase the quota for just the splunk-system-user?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that when scheduled search does not have an owner, it is run by splunk-system-user.
The splunk-system-user seems to have a hardcoded quota.
Therefore, you'll need to assign an owner/user to the scheduled search and specify a role for the user. This is because there isn't a way to set a per-user disk quota so you'll have to edit the role to increase this limit. Here are the defaults from $SPLUNK_HOME/etc/system/default/authorize.conf:
[role_admin]
srchDiskQuota = 10000
[role_power]
srchDiskQuota = 500
[role_user]
srchDiskQuota = 100
(System-wide default is 100 MB which will be applied to all roles where a srchDiskQuota is not specified)
Best way is probably to create a custom role and assign it to this user rather than edit the defaults for the canned roles. Create your custom role in $SPLUNK_HOME/etc/system/local/authorize.conf:
[role_quota]
srchDiskQuota = 5000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that when scheduled search does not have an owner, it is run by splunk-system-user.
The splunk-system-user seems to have a hardcoded quota.
Therefore, you'll need to assign an owner/user to the scheduled search and specify a role for the user. This is because there isn't a way to set a per-user disk quota so you'll have to edit the role to increase this limit. Here are the defaults from $SPLUNK_HOME/etc/system/default/authorize.conf:
[role_admin]
srchDiskQuota = 10000
[role_power]
srchDiskQuota = 500
[role_user]
srchDiskQuota = 100
(System-wide default is 100 MB which will be applied to all roles where a srchDiskQuota is not specified)
Best way is probably to create a custom role and assign it to this user rather than edit the defaults for the canned roles. Create your custom role in $SPLUNK_HOME/etc/system/local/authorize.conf:
[role_quota]
srchDiskQuota = 5000
Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...
Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
