Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Azure Servers not powerful enough

Abass42
Communicator
‎06-25-2024 12:56 PM

I had a quick question about the resources on my indexer. I have a dev environment with a forwarder, indexer, and SH. On all of the servers, I have an IO Wait error. Investigating, I could turn that alert off, or I could look at the actual resources available on the machine. Looking through it, it looks as if i may need more resources. Looks like i only have 2 cores? and about7 GB of ram. 

 

Min Specs recommended by Splunk are:

  • An x86 64-bit chip architecture.
  • 12 physical CPU cores, or 24 vCPU at 2 GHz or greater per core.
  • 12 GB RAM.

This is what i have:

Abass42_0-1719345101154.png

Would this explain these errors:

 

System iowait reached red threshold of 3
Maximum per-cpu iowait reached red threshold of 10
Sum of 3 highest per-cpu iowaits reached red threshold of 15

 

Before I started trying to re do our Dev env from the ground up, we were receiving these errors and they haven't gone away. 

 

Thanks for any help

Labels (2)
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2024 01:37 AM

Hi

I said that for working dev environment you should have at least 4vCPU and 8GB memory. But even more important is that your disks can perform at least 800IOPS preferred is 1200+ IOPS. This should apply both Splunk binary/var and splunk indexer data disks.

One way to test this is use Bonnie++ or some similar tool. Of course if you see that information from your infra tools it's enough.

r. Ismo

0 Karma
Reply

deepakc
Builder
‎07-04-2024 01:22 AM

This indicates  that the CPU is spending a significant amount of time waiting for I/O  (typically disk) as your ingesting/parsing data/searching, so with Splunk you need to size it sufficiently, otherwise you will get those messages, remember Splunk is a workhorse and needs resources:

 

Have a look at the below to posts, I recently had replied to around iowait

 

https://community.splunk.com/t5/Splunk-Enterprise/IOWAIT-Mystery-What-is-it-Is-it-important/m-p/6902... 

 

https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Enterprise-how-does-it-detect-IOWAIT-warnin... 

 

Go through these questions

https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Performancechecklist 

 

Look at the guide in terms of performance recommendations 

https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Summaryofperformancerecommendations

 In summary I think you will need to bump up your specifications, but for a dev environment, you can ignore those messages, unless it's starts to crawl and become unbearable. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top