Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

is the physical server configuration effecting the SearchHead performance.

vikram_m
Path Finder
‎04-18-2017 04:46 AM

We have a searchhead and it is an Azure D4V2 machine i.e 8core machine.

We have real time alerts scheduled on the same, now a days we are facing the queue full alert regularly is this also due to the physical configuration of server will a recommendation to upgrade the VM help here.

Thanks.
Vikram.

0 Karma
Reply

jcrabb_splunk
Splunk Employee
Splunk Employee
‎04-18-2017 06:06 AM

As mentioned in other comments, with light to moderate use on a single instance, we would recommend 12 CPU Cores minimum. In a distributed environment the your requirements may increase based on your needs.

With that said, you will want to avoid Real Time Alerts as those searches will be running all the time and prevent other searches from being dispatched. Keep in mind, Splunk can only run so many searches at a given time. Here is the calculation:

https://answers.splunk.com/answers/270544/how-to-calculate-splunk-search-concurrency-limit-f.html

If your Real Time Alerts are simply sending an email, you should replace all of those with scheduled searches which send an alert and schedule them to run very often, for example every 5 minutes. In this example, there was a RT search running and we replaced it with a scheduled search which runs every 5 minutes, looking back 5 to 10 minutes. The reason we do that is to allow for index latency, to help guarantee that the relevant event isn't missed.

alt text

You could adjust that accordingly of course and set Earliest to -8m@m and Latest to -3m@m and run the search every 3 minutes. In summary, make sure you eliminate any unnecessary real time searches. If you are running too many searches in general, adjust the schedules to run less often.

Jacob
Sr. Technical Support Engineer
Preview file
51 KB
0 Karma
Reply

3no
Communicator
‎04-18-2017 05:12 AM

One core per search per user.

So if a user you open a dashboard with 8 panels, you're already at the limit.

0 Karma
Reply

vikram_m
Path Finder
‎04-18-2017 05:44 AM

Thanks for the answer 3no what my next doubt comes is we have dashboards also configured.

Now is a user logs in and sees the dashboard a core is utilized but suppose if no one opens the dashboard is there anything that still the core is utilized?

Sorry it may feel a invalid question but I had this doubt so asked it.

but thanks again for your previous reply.

0 Karma
Reply

3no
Communicator
‎04-18-2017 06:07 AM

No but il you have alerts, reports or schedule search running at this time, it will use them.

0 Karma
Reply

adonio
Ultra Champion
‎04-18-2017 04:58 AM

Hi Vikram_m, not sure i fully understand the situation but splunk best practices requires a stronger machine.
reference hardware described here in docs: http://docs.splunk.com/Documentation/Splunk/6.5.3/Capacity/Referencehardware

0 Karma
Reply

vikram_m
Path Finder
‎04-18-2017 05:51 AM

Thanks for the doc adonio...this will be helpful.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...