https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25286#M4745 <P>I would recommend one index per customer. You can use sourcetypes to differentiate the datafeeds.</P> Tue, 06 Aug 2013 15:06:27 GMT emiller42 2013-08-06T15:06:27Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25277#M4736 <P>I'm seeing three seconds of latency introduced to each search when using ~3,500 indexes. Here's the scenario:</P> <UL> <LI>~3,000,000 events for source "X", all stored within the main default index</LI> <LI>No data in any of the other custom ~3,500 indexes</LI> <LI>Free license</LI> <LI>32g/ram, i7 series 4, 1tb/ssd</LI> <LI>I've not violated the free tier indexing threshold</LI> </UL> <P>Using the admin account, a search as simple as "sourcetype=x" seems to wait roughly three seconds before beginning to fetch results. When I remove all the custom indexes, things fly like normal. Considering I'm not storing data in the extra indexes yet, I wouldn't expect a noticeable performance impact. As I create additional indexes, performance seems to drop. </P> <P>What could be causing this? <A href="http://splunk-base.splunk.com/answers/40519/how-many-indexes-canshould-one-indexer-support-per-cpu-core">This link</A> suggests it's not the number of indexes that count, it's the data. My experience shows the inverse. What is the maximum number of indexes per instance before running into issues?</P> Mon, 05 Aug 2013 17:34:02 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25277#M4736 andywins 2013-08-05T17:34:02Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25278#M4737 <P>I wouldn't do this many index but curious to know the reason as i see something similar with me.</P> Mon, 05 Aug 2013 17:57:25 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25278#M4737 linu1988 2013-08-05T17:57:25Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25279#M4738 <P>I'd wager that it is still tied to the number of indexes. Even if those indexes don't contain data, each bloomfilter on each index bucket must be checked for matches. So even though its a quick search of the bloomfilter, you are still performing it <CODE>~3500 * #BucketsInIndex</CODE> times. Try doing your search like this and see if it speeds up:</P> <P><CODE>index=main sourcetype=x| blah blah</CODE></P> <P><CODE><A href="http://docs.splunk.com/Splexicon:Bloomfilter" target="test_blank">http://docs.splunk.com/Splexicon:Bloomfilter</A></CODE></P> Mon, 05 Aug 2013 18:17:35 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25279#M4738 alacercogitatus 2013-08-05T18:17:35Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25280#M4739 <P>But when i added another 20 indexes to existing 20 i felt the searches had slowed down even if the new indexes didn't contain any data. Any possible reason?</P> Mon, 05 Aug 2013 18:42:01 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25280#M4739 linu1988 2013-08-05T18:42:01Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25281#M4740 <P>But if you don't explicitly declare in your search which index, the search still hits every index location, and depending on your disk speeds, might introduce some latency.</P> Mon, 05 Aug 2013 19:11:12 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25281#M4740 alacercogitatus 2013-08-05T19:11:12Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25282#M4741 <P>Sorry i should have been specific, I meant the dashboards which are having proper search queries.</P> Mon, 05 Aug 2013 19:42:35 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25282#M4741 linu1988 2013-08-05T19:42:35Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25283#M4742 <P>Uh, 3500 indexes is <EM>way</EM> above the expected parameters. I would hesitate to use more than 200. Frankly, I would be happy to only see 3 seconds of latency on searches with that many indexes, but I suspect that's because you have a good SSD. Every index of course means more places to look for every search (even if it's empty, it's impossible to know it's empty w/o looking) as well as overhead checking for whether its full, etc.</P> <P>What are you using 3500 indexes for? I wonder whether you need that or whether you can just put them into fewer.</P> Mon, 05 Aug 2013 19:54:28 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25283#M4742 gkanapathy 2013-08-05T19:54:28Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25284#M4743 <P>Thanks for the comments. I'll be bulk loading some data this week to vet the suggested approach. I'm using two Samsung 840 pro 500gb ssd's, striped. gkanapathy, we have this many customers and I want to partition their data, both for speed and security. Right now I can create roles/users locked down to a specific index. Ideally, I would have an index for each datafeed per customer (15 feeds * 3500 clients = 52,500 indexes). Let me know if you can think of a better approach.</P> Tue, 06 Aug 2013 13:54:30 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25284#M4743 andywins 2013-08-06T13:54:30Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25285#M4744 <P>As long as you can single out the indexes you need for each query this won't be as big a problem since in that case Splunk knows immediately which indexes to open. If you do need to run loads and loads of searches over <EM>ALL</EM> indexes that could be more problematic.</P> Tue, 06 Aug 2013 13:57:40 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25285#M4744 Ayn 2013-08-06T13:57:40Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25286#M4745 <P>I would recommend one index per customer. You can use sourcetypes to differentiate the datafeeds.</P> Tue, 06 Aug 2013 15:06:27 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25286#M4745 emiller42 2013-08-06T15:06:27Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25287#M4746 <P>Just a reminder: please accept the answer if we have answered your question. Thanks!</P> Tue, 06 Aug 2013 16:10:54 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25287#M4746 alacercogitatus 2013-08-06T16:10:54Z https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25288#M4747 <P>Indeed, limiting to explicit indexes increases performance. Thanks alacercogitatus</P> Fri, 16 Aug 2013 17:51:55 GMT https://community.splunk.com/t5/Splunk-Search/Significant-search-performance-hit-using-multiple-indexes/m-p/25288#M4747 andywins 2013-08-16T17:51:55Z