All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 2: Can input scheduling be improved to prevent CPU spikes?

matthijsk
Explorer
‎06-08-2016 05:38 AM

We use DB connect to import log data from several databases into Splunk. We want to do this every 60 seconds to keep Splunk up to date. We set this up and it worked fine, but once we did a reboot of the Splunk machine this was running on, we noticed spikes in CPU use every minute. All the inputs (that run every 60 seconds) now start at the same time (as is documented). This is very impractical and inefficient. We have solved this by giving each input a slightly different interval (like 60 seconds / 62 seconds / 64 seconds / etc). It would be more practical if we could either define a cron schedule in seconds (which is not supported in cron) or be able to define a delay for an input so it will not immediately start after a Splunk start ,but wait for a specific time. That would allow us to balance the inputs within a minute and thus balance load on the CPU.

Reply

woodcock
Esteemed Legend
‎06-08-2016 06:08 AM

Or the same thing for scheduling reports (a window) can be done for DB Connect, too.

0 Karma
Reply

neilhaywood
Engager
‎06-08-2016 05:51 AM

In case it helps.

We had a similar issue with opsec grabbing data every 30 seconds.

There was too much data to process, before the data was processed a new process was started, using up cpu.

We increased the time between grabbing the data to 300 seconds.

0 Karma
Reply

matthijsk
Explorer
‎06-08-2016 07:33 AM

Hi,

thank you for your comment. We prefer to get the data a little sooner as we have some alerting set up based on this data. Cannot do it continuously as the data in SQL should be updated within 60 seconds of being created.
Setting it up with different intervals has helped but is not a very intuitive solution.

Matthijs

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...