Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

How to restrict usage of real-time search

Because overuse of real-time search can result in performance costs, you may find it necessary to restrict its usage.

Options for restricting real-time search are as follows:

  • Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
  • Disable real-time search for particular roles and users.
  • Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
  • Edit limits.conf to restrict indexer support for real-time searches.

If you are using Splunk Cloud and want to restrict real-time search, file a Support ticket.

Disable real-time search in indexes.conf

Searching in real time may be very expensive on the indexer. If you want to disable it on an indexer, you can edit a [default] setting in that indexer's indexes.conf.

[default]
enableRealtimeSearch = <bool>

Note: A search head that connects to multiple indexers will still be able to get real-time search results from the indexers that do have it enabled.

Disable real-time search for a user or role

Real-time search is a capability that you can map to specific users or roles in Splunk Web from Manager > Access Controls. By default, the rtsearch capability is assigned to the Admin and Power roles and not the User role. A role without the rtsearch capability will not be able to run a real-time search on that search head, regardless what indexers that search head is connected to.

Set search limits on real-time searches

You can use the [search] stanza in limits.conf to change the maximum number of real-time searches that can run concurrently on your system.

[search]
max_rt_search_multiplier = <decimal number>
realtime_buffer = <int>
max_rt_search_multiplier
  • A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. Defaults to 1.
  • Note: The maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches
realtime_buffer
  • The maximum number of accessible events to keep for real-time searches from the UI. Must be >= 1. Defaults to 10000.
  • The real-time buffer acts as a circular buffer once this limit is reached.

Set indexer limits for real-time search

You can use the [realtime] stanza in limits.conf to change the default settings for indexer support of real-time searches. These options can be overridden for individual searches via REST API arguments.

[realtime] 
queue_size = <int>
blocking = [0|1] 
max_blocking_secs = <int>
indexfilter = [0|1]
queue_size = <int>
  • The size of queue for each real-time search. Must be > 0.
  • Defaults to 10000.
blocking =[0|1]
  • Specifies whether the indexer should block if a queue is full.
  • Defaults to false (0).
max_blocking_secs = <int>
  • The maximum time to block if the queue is full. This option is meaningless, if blocking = false.
  • Means "no limit" if set to 0.
  • Defaults to 60.
indexfilter = [0|1]
  • Specifies whether the indexer should pre-filter events for efficiency.
  • Defaults to true (1).
PREVIOUS
Expected performance and known limitations of real-time searches and reports
  NEXT
About evaluating and manipulating fields

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters