Splunk® Enterprise

Search Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

How to restrict usage of real-time search

Because overuse of real-time search can result in performance costs, you may find it necessary to restrict its usage.

Options for restricting real-time search are as follows:

  • Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
  • Disable real-time search for particular roles and users.
  • Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
  • Edit limits.conf to restrict indexer support for real-time searches.

For Splunk Cloud Platform, if you contacted Support to enable real-time searches, you must contact Support to restrict real-time searches.

Disable real-time search in indexes.conf

Searching in real time may be very expensive on the indexer. If you want to disable it on an indexer, you can edit a [default] setting in that indexer's indexes.conf. Note that this setting cannot be overridden on an index-by-index basis, it applies to all indexes located on the indexer.

[default]
enableRealtimeSearch = <bool>

Note: A search head that connects to multiple indexers will still be able to get real-time search results from the indexers that do have it enabled.

Consult with Support before changing the enableRealtimeSearch setting in the indexes.conf file. Setting enableRealtimeSearch=false might prevent the ITSI Rules Engine from working properly. See Real-time search requirements in the IT Service Intelligence Install and Upgrade Manual.

Disable real-time search for a user or role

Real-time search is a capability that you can map to specific users or roles in Splunk Web from Manager > Access Controls. By default, the rtsearch capability is assigned to the Admin and Power roles and not the User role. A role without the rtsearch capability will not be able to run a real-time search on that search head, regardless what indexers that search head is connected to.

Set search limits on real-time searches

You can use the [search] stanza in limits.conf to change the maximum number of real-time searches that can run concurrently on your system.

[search]
max_rt_search_multiplier = <decimal number>
realtime_buffer = <int>
max_rt_search_multiplier
  • A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. Defaults to 1.
  • Note: The maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches
realtime_buffer
  • The maximum number of accessible events to keep for real-time searches from the UI. Must be >= 1. Defaults to 10000.
  • The real-time buffer acts as a circular buffer once this limit is reached.

Set indexer limits for real-time search

You can use the [realtime] stanza in limits.conf to change the default settings for indexer support of real-time searches. These options can be overridden for individual searches via REST API arguments.

[realtime] 
queue_size = <int>
blocking = [0|1] 
max_blocking_secs = <int>
indexfilter = [0|1]
queue_size = <int>
  • The size of queue for each real-time search. Must be > 0.
  • Defaults to 10000.
blocking =[0|1]
  • Specifies whether the indexer should block if a queue is full.
  • Defaults to false (0).
max_blocking_secs = <int>
  • The maximum time to block if the queue is full. This option is meaningless, if blocking = false.
  • Means "no limit" if set to 0.
  • Defaults to 60.
indexfilter = [0|1]
  • Specifies whether the indexer should pre-filter events for efficiency.
  • Defaults to true (1).

See also

Last modified on 17 July, 2021
Expected performance and known limitations of real-time searches and reports   About evaluating and manipulating fields

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters