Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Performance Profiling

southeringtonp
Motivator
‎09-02-2010 05:40 AM

What's the best approach to start profiling a standalone server to determine either: a) the best way to improve performance on interactive searches; or b) whether it's time to start moving toward adding a dedicated search head and/or indexers?

I'm familiar with the docs at this URL, but looking for better steps to gauge when it's really time to move up vs. the need for specific tuning.

http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeploym...

Reply

DrewO
Splunk Employee
Splunk Employee
‎09-02-2010 07:07 AM

It's almost like asking when to buy a new car or change your hair style there are a lot of factors to consider. Performance can be improved in many ways. Learning to write the best searches and using the narrowest time frames will improve search performance without any hardware modifications. Minimizing or refining search time field extractions can also increase search performance. Increasing the firepower of your present server might also be an option.

As far as benchmarks go, they can be really subjective things like:
Do searches seem really slow? Are your users complaining?

Or they can be more measurable things like: Is it taking too long for data to get indexed? Are certain searches slow and others fast? Do you have a lot of concurrent users? What is your daily indexing rate? Are you planning on adding more users/data sources in the near future?

Adding a search head will not give too much of a performance boost since you are just moving SplunkWeb to a different machine. The way Splunk works splunkd does almost all of the heavy lifting. It indexes your data and it runs your searches, SplunkWeb just runs the user interface. Splitting up your indexing and searching across 2 indexers will give you the best performance increase since you are doubling both the indexing and searching power that way.

Check out one of our founder's blog entry on this topic: http://blogs.splunk.com/2009/10/27/add-a-server-or-two/

0 Karma
Reply

southeringtonp
Motivator
‎09-04-2010 02:22 AM

Thanks. I've seen the blog entry, though I'd forgotten it. As a clarification, I'm not so much looking for hard-and-fast rules or a "when x happens you need to upgrade". I'm more interested in objective metrics to support an informed decision on when and how to upgrade, as well as to identify when it's just a configuration issue or poorly written search. The bundled views go a little way towards that goal, but was wondering what else people were looking at, or if anyone had compiled a list of metrics or profiling searches.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...