How to restrict usage of real-time search

Because overuse of real-time search can result in performance costs, you may find it necessary to restrict its usage.

Options for restricting real-time search are as follows:

  • Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
  • Disable real-time search for particular roles and users.
  • Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
  • Edit limits.conf to restrict indexer support for real-time searches.

Note: For Splunk Cloud Platform, if you contacted Support to enable real-time searches, you must contact Support to restrict real-time searches.

Disable real-time search in indexes.conf

Searching in real time may be very expensive on the indexer. If you want to disable it on an indexer, you can edit a [default] setting in that indexer's indexes.conf. Note that this setting cannot be overridden on an index-by-index basis, it applies to all indexes located on the indexer. 

[default]
enableRealtimeSearch = <bool>

Note: A search head that connects to multiple indexers will still be able to get real-time search results from the indexers that do have it enabled.

CAUTION: Consult with Support before changing the enableRealtimeSearch setting in the indexes.conf file. Setting enableRealtimeSearch=false might prevent the ITSI Rules Engine from working properly. See Real-time search requirements in the IT Service Intelligence Install and Upgrade Manual.

Disable real-time search for a user or role

Real-time search is a capability that you can map to specific users or roles in Splunk Web from Manager > Access Controls. By default, the rtsearch capability is assigned to the Admin and Power roles and not the User role. A role without the rtsearch capability will not be able to run a real-time search on that search head, regardless what indexers that search head is connected to.

Set search limits on real-time searches

You can use the [search] stanza in limits.conf to change the maximum number of real-time searches that can run concurrently on your system. 

[search]
max_rt_search_multiplier = <decimal number>
realtime_buffer = <int>

max_rt_search_multiplier

  • A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. Defaults to 1.
  • Note: The maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches

realtime_buffer

  • The maximum number of accessible events to keep for real-time searches from the UI. Must be >= 1. Defaults to 10000.
  • The real-time buffer acts as a circular buffer once this limit is reached.

Set indexer limits for real-time search

You can use the [realtime] stanza in limits.conf to change the default settings for indexer support of real-time searches. These options can be overridden for individual searches via REST API arguments. 

[realtime] 
queue_size = <int>
blocking = [0|1] 
max_blocking_secs = <int>
indexfilter = [0|1]

queue_size = <int>

  • The size of queue for each real-time search. Must be > 0.
  • Defaults to 10000.

blocking =[0|1]

  • Specifies whether the indexer should block if a queue is full.
  • Defaults to false (0).

max_blocking_secs = <int>

  • The maximum time to block if the queue is full. This option is meaningless, if blocking = false.
  • Means "no limit" if set to 0.
  • Defaults to 60.

indexfilter = [0|1]

  • Specifies whether the indexer should pre-filter events for efficiency.
  • Defaults to true (1).