topic Re: Splunk Enterprise Security enable Hyper-threading in Splunk Enterprise Security

Splunk Enterprise Security: Is it better to enable Hyper-threading?

edoardo_vicendo — Wed, 01 Mar 2023 22:08:43 GMT

Hello,

I am wondering if on a dedicated Search Head with Splunk Enterprise Security it is better or not to enable Hyper-threading.

Our server is a blade with a dedicated VM with 2x20 physical core CPU Intel Xeon 6148 + 96GB RAM (we can increase the RAM if necessary up to 256GB).

I guess with 40 physical cores searches could be faster, and with 80 virtual cores there will be more "space" to perform concurrent searches.

So better having 40 physical cores OR 80 virtual cores?

Is there any study showing pros and cons?

Thanks a lot,

Edoardo

Re: Splunk Enterprise Security enable Hyper-threading

richgalloway — Wed, 26 May 2021 17:33:55 GMT

Enabling hyper-threading won't hurt and may help. Try it.

Re: Splunk Enterprise Security enable Hyper-threading

edoardo_vicendo — Thu, 21 Oct 2021 14:40:43 GMT

Coming back again on this.

I read different suggestions about enabling Hyper-threading on the Search Heads, but I am wondering about a configuration present in limits.conf:

Maximum # of Concurrent Searches per SH Instance:
– (max_searches_per_cpu x Logical # of CPUs) + base_max_searches

max_searches_per_cpu = <integer>
* The maximum number of concurrent historical searches for each CPU.
  The system-wide limit of historical searches is computed as:
  max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
* NOTE: The maximum number of real-time searches is computed as:
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Default: 1

Therefore if you do not enable Hyper-threading but you increase max_searches_per_cpu to 2 you are more or less obtaining the same result?

Re: Splunk Enterprise Security enable Hyper-threading

satyenshah — Wed, 01 Mar 2023 19:45:47 GMT

The guidance from Intel is to disable hyperthreading on searchheads for best performance. On searchheads, single-thread performance is more helpful than core count. On indexers, hyperthreading helps indexing but hurts searching. So you can enable/disable it to optimize for one or the other.

Re: Splunk Enterprise Security enable Hyper-threading

edoardo_vicendo — Fri, 03 Mar 2023 14:24:15 GMT

Thanks for your reply!

We have already followed the guide you provided and also the one listed here below.

By the way I opened an Idea called "Virtualization and Performance guide for deploying Splunk"

https://ideas.splunk.com/ideas/EID-I-1008

Here below some example of case-study we have followed:

https://core.vmware.com/resource/splunk-vmware-vsan

https://www.dell.com/community/s/vjauj58549/attachments/vjauj58549/storage-and-data-protection-wiki-ch/3903/1/h15604-splunk-enterprise-and-vmax-all-flash.pdf

https://www.delltechnologies.com/resources/en-us/asset/offering-overview-documents/products/storage-2/h15699-splunk-vxrail-sg.pdf

https://www.intel.com/content/dam/www/public/us/en/documents/reference-architectures/high-performance-data-analytics-with-splunk-brief.pdf