Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Increasing Splunks Search performance on Linux

dragmore
Explorer
‎10-10-2011 03:10 AM

Hi. We have several big Splunk installations and im working on trying to increase the search performance on them. Unfortunatly ive come to and end and i could really use some input/suggestions on where to fix this.

Info:
1. Splunk 4.3.2 x64 REDHAT @ RHEL 5.7 X64
2. HOT/WARM IDX @ 2x120GB SSD in RAID1 mounted volume
3. COLD & Thawed @a 14x300GB RAID6-ADG mounted volume
4. 2x6CPU Cores and 48GB MEM (HP DL380g7)

So when i do a search i often see almost all my cpu's ad idle, but the one im using for search..
I got no IO-Waiting on my Disk-IO subsystem so i know this issue is CPU bound.

So the BIG question is : Is there a way to enable a search to span over multiple cpu cores? Multithreaded/processed searches?

procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
1 0 196 812064 1117692 32270052 0 0 6 50 2 2 6 0 94 0 0
2 0 196 809468 1117708 32272140 0 0 0 257 1280 1743 9 0 90 0 0
7 0 196 660532 1117800 32270748 0 0 62 1726 1602 3894 25 2 72 0 0
7 0 196 556972 1117920 32274096 0 0 1 1690 1648 21236 50 1 48 0 0
3 0 196 687980 1117952 32258168 0 0 0 428 1424 10324 40 1 59 0 0

br TE

0 Karma
Reply

twkan
Splunk Employee
Splunk Employee
‎10-11-2011 03:11 AM

Personally, I would install multiple Splunk Indexers listening on different ports with the aim of saturating the CPU cores as well as Disk I/O. Given that you have 12 CPU cores, I would start with perhaps 2 to 3 Splunk instances, and monitor the health status via iostat, top etc. to make sure that I am not overloading the box, and subsequently validate the improved utilisation of the hardware resources.

Reply

MuS
SplunkTrust
SplunkTrust
‎10-11-2011 04:43 AM

okay at first I disagreed on this but after reading http://splunk-base.splunk.com/answers/5202/how-do-i-get-the-most-out-of-a-16-core-server I think you can improve search performance this way.

0 Karma
Reply

twkan
Splunk Employee
Splunk Employee
‎10-11-2011 04:10 AM

Generally speaking, search performance will increase along with indexing performance. This is where the multiple indexers with MapReduce will come into play to increase the search performance.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-11-2011 04:00 AM

Hi twkan, then you would 'only' increase the index performance but not the search performance.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-10-2011 04:51 AM

Hi dragmore

please read this answer to find out more about search performance.

regards

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...