Archive

Does the bandwidth between the splunk server and the client make difference in the time of response of the query?

New Member

The bandwidth between the splunk server and the client make difference in the time of response of the query.
For example, if i have the server in a datacenter with a bandwidth of 100 mb, the time of response of a query will be more than if i had the server in my own infrastructure with a 1 GB bandwidth?

0 Karma

Builder

@rhungebd

If by client you mean the log source machine, the answer is Yes and No both.

To get to the answer, lets understand briefly the following:
How Splunk processes and searches data - From the log sources, the data is sent to indexer where it keeps a local copy of data after processing it. Now whenever a search is run, Splunk does not pull it directly from the log source but from its local copy of processed data.

There are 2 types of searches in Splunk. Historical and Real Time. Now as the names indicate, Historical searches run the historical data and Real Time searches run over the continuous stream of data coming into Splunk.

After knowing these 2 facts, below is why I said Yes and No both.
Why Yes -
If you are trying to search for the data that is coming into Splunk at real time, there would be a delay in results as much as there is from the original source to the indexer. So, the bandwidth will play its role here.

Why No -
If you are trying to search for the data that is already available with Splunk (say sometime b/w last week to last day). Since this data is already available with Splunk in the form of a local processed copy as I mentioned above, there would be no impact of what bandwidth you have b/w your client and Splunk Indexer.

And what David explained above tells you, how the latency plays its role when the data is already in Splunk and how would it play its role in your distributed Splunk architecture.

I hope this gives you the conceptual idea of Splunk's working.
Let me know if it helps. And please accept answer and upvote if this answers your query.

SplunkTrust
SplunkTrust

Hi @rhungebd,

Yes of course it does, if you're fetching a large volume of data from your indexers to your SH, it might save you a couple of milliseconds to have a larger bandwidth.

I must add though that a good latency between the distributed Splunk components is far more important than the bandwidth as it will impact all searches including those that require indexers to return less results. So be sure you get as low a latency as possible keeping it at 100ms maximum for intersite communication for indexers.

Let me know if you need more details.

Cheers,
David

0 Karma