How to restrict usage of real-time search
Because overuse of real-time search can result in performance costs, you may find it necessary to restrict its usage.
Options for restricting real-time search are as follows:
- Disable real-time search at the indexer level by editing
indexes.conf
for specific indexes. - Disable real-time search for particular roles and users.
- Edit
limits.conf
to reduce the number of real-time searches that can be run concurrently at any given time. - Edit
limits.conf
to restrict indexer support for real-time searches.
For Splunk Cloud Platform, if you contacted Support to enable real-time searches, you must contact Support to restrict real-time searches.
Disable real-time search in indexes.conf
Searching in real time may be very expensive on the indexer. If you want to disable it on an indexer, you can edit a [default]
setting in that indexer's indexes.conf
. Note that this setting cannot be overridden on an index-by-index basis, it applies to all indexes located on the indexer.
[default] enableRealtimeSearch = <bool>
Note: A search head that connects to multiple indexers will still be able to get real-time search results from the indexers that do have it enabled.
Consult with Support before changing the enableRealtimeSearch
setting in the indexes.conf
file. Setting enableRealtimeSearch=false
might prevent the ITSI Rules Engine from working properly. See Real-time search requirements in the IT Service Intelligence Install and Upgrade Manual.
Disable real-time search for a user or role
Real-time search is a capability that you can map to specific users or roles in Splunk Web from Manager > Access Controls. By default, the rtsearch capability is assigned to the Admin and Power roles and not the User role. A role without the rtsearch capability will not be able to run a real-time search on that search head, regardless what indexers that search head is connected to.
Set search limits on real-time searches
You can use the [search]
stanza in limits.conf
to change the maximum number of real-time searches that can run concurrently on your system.
[search] max_rt_search_multiplier = <decimal number> realtime_buffer = <int>
max_rt_search_multiplier
- A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. Defaults to 1.
- Note: The maximum number of real-time searches is computed as:
max_rt_searches = max_rt_search_multiplier x max_hist_searches
realtime_buffer
- The maximum number of accessible events to keep for real-time searches from the UI. Must be >= 1. Defaults to 10000.
- The real-time buffer acts as a circular buffer once this limit is reached.
Set indexer limits for real-time search
You can use the [realtime]
stanza in limits.conf
to change the default settings for indexer support of real-time searches. These options can be overridden for individual searches via REST API arguments.
[realtime] queue_size = <int> blocking = [0|1] max_blocking_secs = <int> indexfilter = [0|1]
queue_size = <int>
- The size of queue for each real-time search. Must be > 0.
- Defaults to 10000.
blocking =[0|1]
- Specifies whether the indexer should block if a queue is full.
- Defaults to false (0).
max_blocking_secs = <int>
- The maximum time to block if the queue is full. This option is meaningless, if
blocking = false
. - Means "no limit" if set to 0.
- Defaults to 60.
indexfilter = [0|1]
- Specifies whether the indexer should pre-filter events for efficiency.
- Defaults to true (1).
See also
Expected performance and known limitations of real-time searches and reports | About evaluating and manipulating fields |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!