Deployment Architecture

Single/Multi Threading CPU

LCM
Contributor

Is splunk itself single or multi threading capable in a CPU architecture perspective?

The docus I've read was mostly about x86 arch. but not SPARC!

Example:

If splunk is multithreaded and I'm installing it on a T-series server (Sun) I might be faster than on a M-series server (Sun), cos T-series has more threads per core. On the other hand, if it's singlethreaded, I'm better on the M-series (less threads, but more power per thread), but that one is much more expensive.

I know, who will install it these days on SPARC - sometimes politics wins!

I read through some documentation, and I might have a guess: Single Threaded!

Tags (1)
1 Solution

David
Splunk Employee
Splunk Employee

Take a look at this Splunk Answers:

http://answers.splunk.com/questions/1829/splunk-searches-to-be-multithreaded-in-a-single-box

The short answer is that Splunk as a system is multi-threaded, but there are some Splunk processes that are not. Notably: indexing is multi-threaded, searches aren't. As gkanapathy mentions below, each search will use a single process and thread, so if you have 12 simultaneous searches, and a high indexing load, Splunk itself could use 16 threads.

Perhaps an engineer can provide guidance if there is anything particular to SPARC systems, but I believe that link is representative.

View solution in original post

David
Splunk Employee
Splunk Employee

Take a look at this Splunk Answers:

http://answers.splunk.com/questions/1829/splunk-searches-to-be-multithreaded-in-a-single-box

The short answer is that Splunk as a system is multi-threaded, but there are some Splunk processes that are not. Notably: indexing is multi-threaded, searches aren't. As gkanapathy mentions below, each search will use a single process and thread, so if you have 12 simultaneous searches, and a high indexing load, Splunk itself could use 16 threads.

Perhaps an engineer can provide guidance if there is anything particular to SPARC systems, but I believe that link is representative.

David
Splunk Employee
Splunk Employee

Thanks for the corrections. I fixed the errors in my original answer, should anyone read it in the future and skip over comments.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

All that said, please do not analogize Splunk with a web server for the purposes of sizing and multithreading. It is much more analogous to a database server, in that CPU and threads are only a small part of the performance factors, and rarely the most important ones.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Furthermore, each concurrent search uses a full process and thread.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

That is incorrect. The indexing process is multi-threaded, up to four or more threads, though in practice you'll usually see two.

0 Karma

LCM
Contributor

In the thread you posted, silvermails answer explains it best (for me). While searching, one core is beeing clamed and the rest ist idling (single-thread) - Thanks David for the hint!

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...