How To Find The Disk Space Limit Used By The Users In Splunk

How To Find The Disk Space Limit Used By The Users In Splunk

Hi guys!!
Today we are back with another blog which is on how to keep a track on the disk space limit used by the users in Splunk.
In Splunk according to the user’s role we can specify the Disk space limit (which is basically,  maximum amount of disk space in megabytes that search jobs for a specific user with this role can use)

Part 1:
Go to Settings and click on Roles and select the role group, In our case we have select admin then go to the Resources tab and scroll down then we can see the Disk space limit.

1
So here the problem arises, if we want to keep a track on the amount of disk space used by the users according to his role.
So how to solve it, don’t worry we have the solutions for you. Just follow us.
Just use this search query and see the magic.

|rest splun_server=local /services/search/jobs
|eval diskUsageMB=diskUsage/1024/1024
|stats sum(diskUsageMB) as DiskUsage_MB by eai:acl.owner 
|rename eai:acl.owner as User

2

NOTE: After doing this one can do lots of stuffs, you can create 
alerts up to certain Disk usage.

Part 2:
What will happen if any user reaches the maximum limit of the disk space allocated which for them ?

Now another catch for you people,now what if a user exceeds his disk usage limit set by the admin. Take an example – as we have logged in by admin account then create a user role name as “Test” by Clicking Settings  and Roles and then New Roles  and into the Resource  tab change the Disk Space Limit into 100 MB as shown in figure below and Save it.

3
Then create a user and assign that user  with the newly created group and log into the Splunk with the credentials of that new user. Try to exceed that limit of disk usage to see that error message. After exceeding the disk limit while searching in the search bar you will get an error like this.

4
After exceeding your disk space all of your  search jobs will go into queue. As a result you will not be able to search anything.

Solution 1:
To get rid of this issue you need to increase the disk space limit for that particular  user role for further searching.  Follow the Step 1 to increase the disk space limit.

Solution 2:
There is another process by which you can start your searching by deleting search Jobs.
Go to the Activity and click on Jobs.

5
And follow these below steps to delete your past jobs which is not required anymore.

6
Click on Delete.  

7

After deleting the search jobs you can continue searching once again. Once the issue is resolved you will not get the error message again.

8
That’s all for now, enjoy and stay safe and we will come back with another topic.

Happy Splunking!!

You can also know about :  How To Find The Missing Data In Inventory But Present In Index And Vice Versa

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.