Relationship of CPU cores between search head and ...

responsys_cm · ‎04-14-2013

One thing I'm not clear on in the architecture and capacity planning guides is what the optimal relationship should be between search heads and indexers.

If I have a search head with 32 cores, should each indexer have that many as well? Or is the constraint that the limits.conf defines the max number of concurrent searches that the search head can run simultaneously, whereas the number of cores on the indexers just impacts how fast those searches can be completed?

If my four indexers have 8 cores each and the search head has 32, what happens on the indexers when the search head tries running 32 simultaneous searches? What happens if the search head overwhelms the indexers?

Thanks.

Craig

gkanapathy · ‎04-14-2013

There is no one optimal relationship. The answer depends on the searches you are running, and the relative amount of work that can be divided between the indexers and the search head by Splunk's map-reduce framework. For example, if you run ... | stats count, almost all the work is done on the indexers, and so you can have a single search head serve many more indexers. In contrast, something like a complex ... | transaction startswith=... command will require more from the search head. If you use Verbose Mode in the timeline view, you will do things that rely more on the search head, while Fast Mode does fewer of these things.

Relationship of CPU cores between search head and indexers

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023