Background :
I am using Splunk verion 4.3.3 , having 4 indexer with 1 Search head and using the default configurations for limits.conf.
OS : RHEL 6
Subnet : logging
HDD 1 : 40
HDD 2: 100
Memory : 16
CPU cores :4
By default settings my search head is capable of doing 4 concurrent searches. (as recommended by splunk) However often i am getting maximum historical search limit is reached. and this is quite annoying for my users.
Suggest me a best idea to resolve this, (something from my readings , correct me if i am wrong below)
- Shall i tweak the default settings in limits.conf . How far this is recommended to localize this configuration file ?
- Shall i increase the no. of cores in Search head's CPU ?
- Do i need to go for multiple search heads ?
Can i try this ,
restrict the Splunk users triggering a complex query | or a query which fetches very old data .
Restrict features in TimeRange picker -remove "All Time" selection
However i wanted to limit the users from complex query. Is there any tricks ? or any way to force the search query to show limited data , even though long time range is selected ?
Kindly advice.
Thanks,
Chimbu