Configure admission rules to prefilter searches
Admission rules let you filter out searches automatically before they start, based on a predicate (condition) that you define. If a search meets the specified condition, the search is not executed.
You can use admission rules to prevent the execution of rogue searches, such as poorly written and potentially harmful searches that might consume an excessive amount of resources and interfere with critical search workloads. For example, you can create a rule to filter out wildcard searches that target all indexes, or filter out searches in the
alltime time range.
You can also use admission rules to set up time-bound access to searches for roles, users, apps and so on. For example, you can create a rule that filters out all ad hoc searches from a certain role during peak business days, but allows the same role to run searches on weekends. And you can create rules to limit the number concurrent ad hoc searches to retain search capacity for scheduled searches.
Admission rules have no explicit ordering. All admission rules are evaluated when a search is dispatched. If a search meets the conditions of a rule, the rule takes effect before the search is executed. If a search is already running, and you create a new admission rule that applies to that search, the running search is not affected by the new rule.
Admission rules are enabled by default for the
sc_admin role. You can create a maximum of 100 admission rules per Splunk Cloud Platform deployment.
Create an admission rule using Splunk Web
To create and edit admission rules, a user's role must have the
To create an admission rule using Splunk Web:
- In Splunk Web, click Settings > Workload Management.
- Click Add Admission Rule.
- Define the following fields to configure a new admission rule:
Field Action Name Specify the name of the admission rule. Predicate (Condition) Specify a predicate (condition) that must match to trigger this rule. The predicate syntax is <type>=<value> with optional AND, OR, NOT, (). For example,
app=search AND role=powertriggers all searches belonging to both the Search app and the power role.
Valid predicate types are
adhoc_search_percentage. For supported predicate values, see Specify predicate values on this page.
In complex predicates,
NOToperators must be upper case. Lower case is not supported.
Schedule (Optional) Set a schedule for the admission rule. The schedule determines the time period during which the rule is valid.
If set to
Always On(the default), the rule remains valid indefinitely and does not expire.
If set to
Time Range, the rule is valid during the specified time range only and expires when the time range ends.
If set to
Every Week, or
Every Month, the rule becomes valid on a recurring basis during the specified time range every day, on the specified days of the week, or on the specified days of the month.
The schedule time for an admission rule is based on the system timezone, regardless of the timezone set for an individual user in the UI.
Action Specify the action to perform when a search meets the predicate condition.
If set to
Filter search, the rule filters out any search that meets the specified predicate condition.
If set to
Queue search, the rule places a search that meets the predicate condition in a queue to be re-run at a later time, when the predicate condition allows it. This action is currently allowed for
adhoc_search_percentagepredicate type rules only.
User Message Enter a custom message that notifies the end user when a search triggers the admission rule action. For example, "This search meets specified admission rule conditions. The search was not executed."
If an ad hoc search triggers the rule action, the custom message appears beneath the search bar in the Search and Reporting app. If a scheduled search triggers the action, a default message appears in
- Click Submit.
Specify predicate values
The following table shows valid values for each admission rule predicate type:
|Predicate type||Valid values|
||Name of the app. For example, |
The correct name to specify for an app is the name of the app directory located in
||Name of the role. For example, |
For important details on
||Name of the index. For example, |
||Name of any valid user. For example, |
||An absolute time range during which the rule is valid. Currently supports |
||[0-100]. The percentage of the total search concurrency limit that you want to allocate to ad hoc searches.|
In a search head cluster environment, the
Enable admission rules
The admission rules feature must be enabled for any existing admission rules to apply to searches. In Splunk Cloud Platform, the admission rules feature is enabled for the
sc_admin role by default and cannot be disabled.
Enable individual admission rules
You can enable or disable individual admission rules. This lets you create and save multiple different admission rules and deploy them as needed. Individual admission rules are enabled by default when you create them. Disabled admission rules are not evaluated and have no impact on search execution.
To enable or disable an individual admission rule:
- In Splunk Web, click Settings > Workload Management > Admission Rules.
- In the Status column, toggle the switch to enable or disable the individual admission rule.
Example admission rules
The following examples show how you can define admission rules to filter out searches based on your use case objectives.
Example 1: Stop wildcard searches
The following rule excludes data model acceleration searches that use
index=* from the filter:
index=* AND (NOT search_type=datamodel_acceleration)
Example 2: Stop alltime searches
Some monitoring searches use the
alltime time range. The following rule excludes those searches from the filter:
search_time_range=alltime AND (NOT role=sc_admin) AND (NOT app=splunk_instance_monitoring)
The "View index inheritance for roles" feature also uses an
alltime search. You can exclude users or roles that need to view indexes from the filter. The above rule excludes the
REST API searches default to the
alltime time range, unless you explicitly define a different time range in the search query.
Example 3: Do not allow certain users to run ad hoc searches at peak hours
search_type=adhoc AND role=new_users
After you define the admission rule predicate, set the schedule for the rule, specifying the time range that corresponds to your peak hours.
Example 4: Ad hoc search quota control
You can define admission rules to limit the number of concurrent ad hoc searches running on your system.
The following rule limits the number of concurrent ad hoc searches to 50% of the total search concurrency limit:
search_type=adhoc AND adhoc_search_percentage>50
After you specify the predicate statement, set the action for the rule to
Filter search or
If set to
Filter search, the rule filters out any ad hoc searches over the 50% concurrency limit. If set to
Queue search, the rule places any ad hoc searches over the 50% concurrency limit in a queue to be run again when the number of concurrent ad hoc searches falls below the 50% threshold.
For more information on search concurrency limits in Splunk Cloud Platform, see Set limits for concurrent scheduled searches in the Splunk Cloud Platform Admin Manual.
For more admission rule use case examples, see Scenario 3: Create admission rules to prefilter searches.
Configure workload rules
Manually assign searches to workload pools
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2105, 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111, 8.2.2112