Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mulitple searchable copies in splunk...

a212830
Champion
‎09-21-2014 06:11 AM

Hi,

Does having multiple searchable copies of your index make splunk searches go faster? I've heard different responses on this question.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-21-2014 06:24 AM

Short answer: It depends, but usually not.

Long answer: In a regular old cluster there's one primary copy of each bucket that's queried by searchheads. Other searchable copies may exist, but they're not used. Using them wouldn't speed up most searches either, because the other search peers are busy serving up data from other buckets they may be primary for.
However, in a multi-site cluster search affinity lets search heads use a searchable copy in their own site, indeed speeding up searches. That's not achieved by querying one bucket in multiple search peers though, but rather by choosing one copy from a nearby search peer instead of a distant - and therefore slower - one.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-21-2014 08:04 AM

Just to be clear, it never makes a single search run faster. But as martin_mueller says, it can increase capacity if you have a multi-site cluster, so the total amount of searching can go faster. It is possible that future optimizations and improvements to Splunk will allow increased capacity even without multi-site clustering, but that is not the case in the current (6.1) version.

0 Karma
Reply

a212830
Champion
‎09-21-2014 07:37 AM

Thanks. Interesting - definitely NOT what I'm being told by Splunk SE's...

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-21-2014 06:40 AM

I confirm, for now on splunk 6.0 and 6.1 even if you have multiple searchable bucket copies only one will be searched.
The reason for having search-factor>1 is to have the some buckets copies immediately ready when an indexer is lost. And not have to wait for the preparation to make one of the copies a searchable copy.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...