Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Performance Profiling

southeringtonp
Motivator
‎09-02-2010 05:40 AM

What's the best approach to start profiling a standalone server to determine either: a) the best way to improve performance on interactive searches; or b) whether it's time to start moving toward adding a dedicated search head and/or indexers?

I'm familiar with the docs at this URL, but looking for better steps to gauge when it's really time to move up vs. the need for specific tuning.

http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeploym...

Reply

DrewO
Splunk Employee
Splunk Employee
‎09-02-2010 07:07 AM

It's almost like asking when to buy a new car or change your hair style there are a lot of factors to consider. Performance can be improved in many ways. Learning to write the best searches and using the narrowest time frames will improve search performance without any hardware modifications. Minimizing or refining search time field extractions can also increase search performance. Increasing the firepower of your present server might also be an option.

As far as benchmarks go, they can be really subjective things like:
Do searches seem really slow? Are your users complaining?

Or they can be more measurable things like: Is it taking too long for data to get indexed? Are certain searches slow and others fast? Do you have a lot of concurrent users? What is your daily indexing rate? Are you planning on adding more users/data sources in the near future?

Adding a search head will not give too much of a performance boost since you are just moving SplunkWeb to a different machine. The way Splunk works splunkd does almost all of the heavy lifting. It indexes your data and it runs your searches, SplunkWeb just runs the user interface. Splitting up your indexing and searching across 2 indexers will give you the best performance increase since you are doubling both the indexing and searching power that way.

Check out one of our founder's blog entry on this topic: http://blogs.splunk.com/2009/10/27/add-a-server-or-two/

0 Karma
Reply

southeringtonp
Motivator
‎09-04-2010 02:22 AM

Thanks. I've seen the blog entry, though I'd forgotten it. As a clarification, I'm not so much looking for hard-and-fast rules or a "when x happens you need to upgrade". I'm more interested in objective metrics to support an informed decision on when and how to upgrade, as well as to identify when it's just a configuration issue or poorly written search. The bundled views go a little way towards that goal, but was wondering what else people were looking at, or if anyone had compiled a list of metrics or profiling searches.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...