How to restrict usage of real-time search
Because overuse of real-time search can result in performance costs, you may find it necessary to restrict its usage.
Options for restricting real-time search are as follows:
- Disable real-time search at the indexer level by editing
indexes.conffor specific indexes.
- Disable real-time search for particular roles and users.
limits.confto reduce the number of real-time searches that can be run concurrently at any given time.
limits.confto restrict indexer support for real-time searches.
If you are using Splunk Cloud and want to restrict real-time search, file a Support ticket.
Disable real-time search in indexes.conf
Searching in real time may be very expensive on the indexer. If you want to disable it on an indexer, you can edit a
[default] setting in that indexer's
[default] enableRealtimeSearch = <bool>
Note: A search head that connects to multiple indexers will still be able to get real-time search results from the indexers that do have it enabled.
Disable real-time search for a user or role
Real-time search is a capability that you can map to specific users or roles in Splunk Web from Manager > Access Controls. By default, the rtsearch capability is assigned to the Admin and Power roles and not the User role. A role without the rtsearch capability will not be able to run a real-time search on that search head, regardless what indexers that search head is connected to.
Set search limits on real-time searches
You can use the
[search] stanza in
limits.conf to change the maximum number of real-time searches that can run concurrently on your system.
[search] max_rt_search_multiplier = <decimal number> realtime_buffer = <int>
- A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. Defaults to 1.
- Note: The maximum number of real-time searches is computed as:
max_rt_searches = max_rt_search_multiplier x max_hist_searches
- The maximum number of accessible events to keep for real-time searches from the UI. Must be >= 1. Defaults to 10000.
- The real-time buffer acts as a circular buffer once this limit is reached.
Set indexer limits for real-time search
You can use the
[realtime] stanza in
limits.conf to change the default settings for indexer support of real-time searches. These options can be overridden for individual searches via REST API arguments.
[realtime] queue_size = <int> blocking = [0|1] max_blocking_secs = <int> indexfilter = [0|1]
queue_size = <int>
- The size of queue for each real-time search. Must be > 0.
- Defaults to 10000.
- Specifies whether the indexer should block if a queue is full.
- Defaults to false (0).
max_blocking_secs = <int>
- The maximum time to block if the queue is full. This option is meaningless, if
blocking = false.
- Means "no limit" if set to 0.
- Defaults to 60.
indexfilter = [0|1]
- Specifies whether the indexer should pre-filter events for efficiency.
- Defaults to true (1).
Expected performance and known limitations of real-time searches and reports
About evaluating and manipulating fields
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.1.1