Usage Groups
Usage Groups let you assign limits for searches to specific users. By setting limits you can prevent inefficient queries by either disallowing them, or terminating their execution if they exceed a limit.
You can set up general limits that apply to all users in the Limits section.
Cribl Search provides two Usage Groups by default:
- system - Provides system-level limits that apply to all searches.
- default - Covers all ad hoc searches, unless covered by a different group.
Creating Usage Groups
To create a Usage Group, go to Settings > Search Settings > Usage Groups, and select Add Usage Group.
In the Configuration tab, give the group a name, set up limits that members of this group will be bound by, and activate it with the Enabled toggle.
To assign users to a group, in the Members tab, click Add next to a user’s row to include them in the group. All users who have the User or Editor Search Member Permissions are valid group members.
Usage Limits
You can configure the following usage limits for each group:
- Earliest relative time range - How far back in time the search can go. For example:
60m,30d,6mon,1y. To specify time in seconds, enter a number with no time unit. This limit can be overridden bymax_earliest_relative. - Time range limit - Maximum time range for one search query, for example 3 days (
3d). This limit can be overridden bymax_timerange_width. - User concurrent ad hoc search limit - Maximum number of concurrent ad hoc searches per user. If the user tries to
execute more queries than specified by this limit, the searches get queued. This limit can be overridden by
max_searches_per_user. - User concurrent scheduled search limit - Maximum number of concurrent scheduled searches per user. This limit can
be overridden by
max_scheduled_searches_per_user. - Overall concurrent search limit - Maximum number of concurrent searches allowed per organization.
- If a percentage
%, the number will be calculated as:Math.min(1, numCPU x maxConcurrentSearches/100). - Default is
50%. - Search will be disabled if this number is set to
0.
- If a percentage
- Results limit - Maximum number of events that can be returned per search.
- Default is
50000. - Minimum of
1. - This limit can be overridden by
max_results_per_search.
- Default is
- Executors limit - Maximum number of executors dispatched per search.
- Default is
50. - Minimum of
1. - This limit can be overridden by
max_executors.
- Default is
- Byte limit - Maximum number of bytes that can be read per search. When the limit is exceeded, the search gets
canceled. This limit can be overridden by
max_bytes_read_per_search. - Running time limit - Maximum time, in seconds, that a single search is allowed to run.
- Default is
'420m'. This limit can be overridden bymax_running_time_per_search.
- Default is
Overriding Limits
Certain usage limits can be overridden by set-statement options, for example:
set max_searches_per_user=100000.
Admins can also run a query as a specific Usage Group with: set usage_group="secops".
The following set options correspond to the limits configured in the UI:
| Limit | Setting |
|---|---|
| Earliest relative time range | max_earliest_relative |
| Time range limit | max_timerange_width |
| User concurrent ad hoc search limit | max_searches_per_user |
| User concurrent scheduled search limit | max_scheduled_searches_per_user |
| Results limit | max_results_per_search |
| Executors limit | max_executors |
| Byte limit | max_bytes_read_per_search |
| Running time limit | max_running_time_per_search |