https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64707#M2223 <P>Splunk's recommendations are:</P> <P>A small deployment server (30 or fewer clients) can co-reside with a splunk instance which has other duties, such as a search head, indexer, or other splunk instance.<BR /> At moderate to large sizes (30-300), the deployment server should reside on its own splunk instance which does not have other duties.</P> <P>The deployment server accesses can interfere with other management port activities, such as search, management, UI functionality, distributed search, etc. etc.<BR /> At moderate sizes, the phoneHomeIntervalInSecs should be increased from its default value of 30 seconds, to a larger value which meets your business goals. Can deployment clients wait 10 minutes to receive updates? Perhaps 600 is more appropriate then. </P> <P>At the moment Deployment Server oversubscription has to be gauged via a series of observations. </P> <P>Is the splunkd HTTP server overwhelmed with the number of concurrent clients that are connecting? Are we spawning too many threads to service these clients?</P> <P>This may not be apparant in splunkd.log. You would need to look at splunkd_access.log to track the rate at which HTTP requests are being served or the number of sockets held by splunkd using lsof, or the number of threads running using pstack.</P> <P>You could also try using "netstat -an |grep <MGT port="" no=""> |grep EST |wc -l<BR /> (eg netstat -an |grep 8089 |grep EST |wc -l)</MGT></P> <P>if the value returned ig high (eg in the hundreds), this may be a indication that the Deployment is over subscribed)</P> Thu, 16 May 2013 08:56:49 GMT dshakespeare_sp 2013-05-16T08:56:49Z https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64704#M2220 <P>I currently run a combination search head/deployment server on an Intel Xeon 4 core server. </P> <P>The following command indicates that i am serving 959 deploy clients at the moment. </P> <PRE><CODE>splunk list deploy-clients | grep -c hostname: </CODE></PRE> <P>959 is a whole lot more than numbers I've been seeing elsewhere. </P> <P>It <EM>seems</EM> to be working okay. There are no crazy delay in the search head. Commands come back quickly. </P> <P>idle load average: 0.29, 0.40, 0.43</P> <P>How do i know if the deployment server is over subscribed? Would there be errors in a log-file somewhere? </P> Thu, 25 Aug 2011 16:41:48 GMT https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64704#M2220 gfriedmann 2011-08-25T16:41:48Z https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64705#M2221 <P>You need to do two searches. First do a real time serach on some of your data, then do a typical search. If the realtime results are not procesed imeadiatly, you are using cpu resources for the search.</P><BR /> I have seen on my system during the day, of up to 15 minutes. Note that the delay is normal and the logs are just indexed late.<P></P><BR /> We have 3 log entries for some of our events, A detailed start, detailed end, and a summary end. I have written queries where I look for all three. In our case, there are times that we loose logs, so I know our system is over loaded.<P></P> Mon, 29 Aug 2011 13:26:31 GMT https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64705#M2221 fk319 2011-08-29T13:26:31Z https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64706#M2222 <P>I have seen Deployment Server overloaded to the point that splunkd is close to unresponsive. That is when you really know it is overloaded!</P> Wed, 09 Nov 2011 05:10:23 GMT https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64706#M2222 Jason 2011-11-09T05:10:23Z https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64707#M2223 <P>Splunk's recommendations are:</P> <P>A small deployment server (30 or fewer clients) can co-reside with a splunk instance which has other duties, such as a search head, indexer, or other splunk instance.<BR /> At moderate to large sizes (30-300), the deployment server should reside on its own splunk instance which does not have other duties.</P> <P>The deployment server accesses can interfere with other management port activities, such as search, management, UI functionality, distributed search, etc. etc.<BR /> At moderate sizes, the phoneHomeIntervalInSecs should be increased from its default value of 30 seconds, to a larger value which meets your business goals. Can deployment clients wait 10 minutes to receive updates? Perhaps 600 is more appropriate then. </P> <P>At the moment Deployment Server oversubscription has to be gauged via a series of observations. </P> <P>Is the splunkd HTTP server overwhelmed with the number of concurrent clients that are connecting? Are we spawning too many threads to service these clients?</P> <P>This may not be apparant in splunkd.log. You would need to look at splunkd_access.log to track the rate at which HTTP requests are being served or the number of sockets held by splunkd using lsof, or the number of threads running using pstack.</P> <P>You could also try using "netstat -an |grep <MGT port="" no=""> |grep EST |wc -l<BR /> (eg netstat -an |grep 8089 |grep EST |wc -l)</MGT></P> <P>if the value returned ig high (eg in the hundreds), this may be a indication that the Deployment is over subscribed)</P> Thu, 16 May 2013 08:56:49 GMT https://community.splunk.com/t5/Deployment-Architecture/How-do-i-know-if-my-deployment-server-is-overloaded/m-p/64707#M2223 dshakespeare_sp 2013-05-16T08:56:49Z