https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191609#M55172 <P>I've been reviewing the information around sizing Splunk installations and it seems to distill--at its simplest--to two key dimensions: data volume and search concurrency. While historical data volumes are relatively easy to get, it seems to be a lot harder to assemble interactive search activity and saved search activity into some kind of picture of overall search concurrency over a time period.</P> <P>Does anyone know where Splunk hides all the info you'd need to do this? A lot of the wiki entries seem to be out of date; SoS app gives this problem a good college try, but while the scheduled search stuff seems fine, it uses ps and investigates the command line for the interactive stuff which seems a bit random--surely this information is stored elsewhere in Splunk?</P> <P>Anyway you need all these things (and more of course) to size Splunk properly, and it's fairly strange that you don't seem to be able to get this out of the box. Especially when nearly everyone uses pilot projects to arrive at real sizing...somehow!</P> Mon, 03 Nov 2014 05:24:07 GMT cmeo 2014-11-03T05:24:07Z https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191609#M55172 <P>I've been reviewing the information around sizing Splunk installations and it seems to distill--at its simplest--to two key dimensions: data volume and search concurrency. While historical data volumes are relatively easy to get, it seems to be a lot harder to assemble interactive search activity and saved search activity into some kind of picture of overall search concurrency over a time period.</P> <P>Does anyone know where Splunk hides all the info you'd need to do this? A lot of the wiki entries seem to be out of date; SoS app gives this problem a good college try, but while the scheduled search stuff seems fine, it uses ps and investigates the command line for the interactive stuff which seems a bit random--surely this information is stored elsewhere in Splunk?</P> <P>Anyway you need all these things (and more of course) to size Splunk properly, and it's fairly strange that you don't seem to be able to get this out of the box. Especially when nearly everyone uses pilot projects to arrive at real sizing...somehow!</P> Mon, 03 Nov 2014 05:24:07 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191609#M55172 cmeo 2014-11-03T05:24:07Z https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191610#M55173 <P>If you're using 6.x you can find that information in Activity (upper right hand corner) &gt;&gt; System Activity &gt;&gt; Search activity overview - or you can get to the raw data using the following search:</P> <PRE><CODE>index=_internal source=*metrics.log group=search_concurrency "system total" NOT user=* </CODE></PRE> Mon, 03 Nov 2014 05:50:42 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191610#M55173 Ledion_Bitincka 2014-11-03T05:50:42Z https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191611#M55174 <P>I need history as well as current activity. Trying these two searches at the moment:</P> <PRE><CODE>index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount&gt;0" | timechart span=1m count(search) index=_internal source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart span=1m count(_raw) </CODE></PRE> <P>They are returning results that are different, the second giving counts very much larger than the first. Is there a canonical answer to this question? Unless there is, I'll go with the second and hope for the best...</P> Mon, 03 Nov 2014 23:13:23 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191611#M55174 cmeo 2014-11-03T23:13:23Z https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191612#M55175 <P>found yet another variant:</P> <PRE><CODE>| history | timechart span=1d count(search) </CODE></PRE> <P>different again...so which one do I trust?</P> Mon, 03 Nov 2014 23:28:23 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191612#M55175 cmeo 2014-11-03T23:28:23Z https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191613#M55176 <P>use/trust metrics.log </P> Wed, 05 Nov 2014 07:13:42 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191613#M55176 Ledion_Bitincka 2014-11-05T07:13:42Z https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191614#M55177 <P>did you try using dc(search) ?</P> Thu, 08 Oct 2015 10:49:53 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sizing-where-is-the-search-concurrency-information/m-p/191614#M55177 asimagu 2015-10-08T10:49:53Z