Deployment Architecture

Splunk on HP-UX, Too much CPU consumption

clyde772
Communicator

Hello fellow splunkers!

Anybody out there have experience with Splunk on HP-UX where it just consumes too much CPU resource just even being at the starting page of search? Or have all the community people gave up on installing Splunk on HP-UX?

Currently we are facing a situation where customer expects us to install Splunk on HP-UX and even use that as the indexer too. Does this make sense or even possible? Based on our tests, Splunk consumed too much CPU resource where we had to take it down immediately after we brought the splunk instances up.

I very much appreciate your opinion. Happy splunking~!

Tags (3)

hexx
Splunk Employee
Splunk Employee

A few things to keep in mind :

  • The main splunkd daemon will spawn new splunkd processes when searches are run. Each search will create two splunkd processes (a main process and a helper process). This is why you see more than one splunkd.
  • A search can consume up to one full core while it's running. This is actually expected as we want a historical search to complete as quickly as possible.
  • Things are slightly different for real-time searches, which will run continuously regardless of the number of events they process. Typically, the consume less than one full core as they run although that will depend on the rate of events they pick up and process.
  • Perhaps most importantly : A Splunk indexer/search-head is expected to have medium to high CPU usage, in concordance with the search activity going on.

To answer your question about HP-UX, although it is not a common platform to run indexers or search-heads (and not the one we would recommend as the best), Splunk is fully compatible with it.

dwaddle
SplunkTrust
SplunkTrust

Totally agree with hexx0 here about HPUX not being an "ideal" Splunk platform. It's not that CANNOT do it - it's mainly that from a cost-of-ownership point of view it really isn't that cost effective. Splunk's whole architecture is based on using lots of (relatively) low cost commodity x86 hardware. Traditional Midrange Unix platforms like HPUX, Solaris, and AIX just don't have the cost economies to allow you to have 4 or more indexers sharing workload.

clyde772
Communicator

Thanks for your feedback. I appreciate your feedback.

Many "splunkd" run due to "live dashboard" view when default setting is set.

About the other processes' consumption, no, it's running normal, meaning majority of CPU is consumed by multiple splund processes.

Multiple splunkd sucks up most of CPU resources. I am curious about if the splunkd on HP-UX is really compatible with OS.

I have 15 years of Unix admin experience, it's not due to external factors, I don't believe.

So re-pharase the question, anyone of you have ever installed Splunk on HP-UX as indexer and worked well?
the question is more emphasis on binary and OS compatibility fronts.

Appreciate your feedback. Thanks.

0 Karma

hexx
Splunk Employee
Splunk Employee

Could you please define "too much CPU"? How was the CPU consumption of Splunk measured, and what values were found?

0 Karma

MHibbin
Influencer

Have you checked what else is running on the machine? Does the "top" command work on HP-UX?

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...