https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367730#M3186 <P>Do post your search to get a more detailed answer.</P> <P>In general, the streaming portion of searches (e.g. <CODE>index=foo | eval field = "bar"</CODE>) will run on all indexers in parallel.<BR /> The same holds true for union'd searches, e.g. <CODE>| union [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"]</CODE> - which is the first example from the union docs at <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/union">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/union</A><BR /> Every indexer will run the searches in parallel, and return results to the search head.</P> <P>For most cases, I'd recommend using <CODE>OR</CODE> instead of union: <CODE>index=foo OR index=bar | ...</CODE> because you also get parallel execution on all indexers for the streaming part but don't run into limits of the union command.</P> Mon, 30 Apr 2018 10:08:25 GMT martin_mueller 2018-04-30T10:08:25Z https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367729#M3185 <P>Hi,</P> <P>[architecture]<BR /> One search header, several indexers, one LB forwarder</P> <P>[Question]<BR /> * If one search statement is returned, the search starts from one indexer. (Using CPU 1 core)</P> <UL> <LI><P>When using the Union command in the search header, does the search run in one indexer? (Use CPU 1 core?)</P></LI> <LI><P>If not, does one search statement run on multiple indexers? (Using multiple CPUs?)</P></LI> <LI><P>The point is, when using the Union command, does one search statement run on multiple indexers?</P></LI> </UL> <P>Thanks.</P> Mon, 30 Apr 2018 06:24:28 GMT https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367729#M3185 kind7776 2018-04-30T06:24:28Z https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367730#M3186 <P>Do post your search to get a more detailed answer.</P> <P>In general, the streaming portion of searches (e.g. <CODE>index=foo | eval field = "bar"</CODE>) will run on all indexers in parallel.<BR /> The same holds true for union'd searches, e.g. <CODE>| union [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"]</CODE> - which is the first example from the union docs at <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/union">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/union</A><BR /> Every indexer will run the searches in parallel, and return results to the search head.</P> <P>For most cases, I'd recommend using <CODE>OR</CODE> instead of union: <CODE>index=foo OR index=bar | ...</CODE> because you also get parallel execution on all indexers for the streaming part but don't run into limits of the union command.</P> Mon, 30 Apr 2018 10:08:25 GMT https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367730#M3186 martin_mueller 2018-04-30T10:08:25Z https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367731#M3187 <P>Sorry, I seem to have confused the question.<BR /> For example, using the append command, you can physically query one CPU core (one indexer)<BR /> If you have multiple indexers, I wonder if you use the union command to physically search the CPU cour using several indexers (multiple indexers).</P> <UL> <LI>I understand that append uses one cpu core, and union uses multiple cpu cores, so it is faster when using the union command.</LI> </UL> <P>I wonder if the above is true.</P> Thu, 03 May 2018 01:31:03 GMT https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367731#M3187 kind7776 2018-05-03T01:31:03Z https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367732#M3188 <P>If you have spare cores, consider enabling batch mode search parallelization: <A href="http://docs.splunk.com/Documentation/Splunk/7.1.0/Capacity/Parallelization#Batch_mode_search_parallelization">http://docs.splunk.com/Documentation/Splunk/7.1.0/Capacity/Parallelization#Batch_mode_search_parallelization</A></P> <P>That will allow all batch mode eligible searches to search multiple non-hot buckets at once.</P> <P>As for <CODE>append</CODE> vs <CODE>union</CODE>, I'd use neither in most cases - instead <CODE>OR</CODE> your data sets together in one big search.</P> Thu, 10 May 2018 19:08:00 GMT https://community.splunk.com/t5/Monitoring-Splunk/Does-the-union-command-affect-CPU-utilization/m-p/367732#M3188 martin_mueller 2018-05-10T19:08:00Z