Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Pros and Cons for Multiple Splunk Indexers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our present architecture now is single indexer, and multiple universal forwarders; However, it's getting slower when we have multiple panels and multiple search strings. Wondering if the solution is to have multiple indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you're describing is search concurrency vs indexing capability. Number of indexers wont particularly effect the search results ( I say that, but there is a causation with multiple indexers / clustering and search distribution.) This is especially true if you're running in an 'all-in-one' IDX / SH case..
Simple answers:
1) Increasing indexer numbers will decrease disk i/o and minimal cpu / memory usage on the boxes, allowing more potential search
2) Separating your SH / IDX into different boxes will also reduce overhead
3) Check your CPU and MEm utilization on your current box and see if you are actually resource constrained. CPU / Memory utilization is typically search related, where-as Disk i/o utilization will be more along the lines of actually indexing. If you're on a VM, add more memory and vcpu.
4) On the Search side, perhaps you should be looking at scheduled searches vs real-time (run search when dashboard loads) type searches. (Savedsearches and loadjob..) This typically is one way to help alleviate dashboard loadtime issues, but it is does depend on your search requirements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you're describing is search concurrency vs indexing capability. Number of indexers wont particularly effect the search results ( I say that, but there is a causation with multiple indexers / clustering and search distribution.) This is especially true if you're running in an 'all-in-one' IDX / SH case..
Simple answers:
1) Increasing indexer numbers will decrease disk i/o and minimal cpu / memory usage on the boxes, allowing more potential search
2) Separating your SH / IDX into different boxes will also reduce overhead
3) Check your CPU and MEm utilization on your current box and see if you are actually resource constrained. CPU / Memory utilization is typically search related, where-as Disk i/o utilization will be more along the lines of actually indexing. If you're on a VM, add more memory and vcpu.
4) On the Search side, perhaps you should be looking at scheduled searches vs real-time (run search when dashboard loads) type searches. (Savedsearches and loadjob..) This typically is one way to help alleviate dashboard loadtime issues, but it is does depend on your search requirements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it. Thanks for giving detailed information on this. Follow up question: will it consume bandwidth? We will be deploying boxes remotely, and current architecture is that these boxes have universal forwarders. The main Indexer is here in our office.
If we deploy indexers to these boxes, instead of universal forwarders, I would imagine, that if I run a search query from the main server, it will connect to these remote boxes all the time? Isn't it going to be slower that way? Specially when at the worst case, the network is slow, even at load balancing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you run a search from a SH, it distributes the search to all peers. So if you have bandwidth issues betweent he SH and IDX, then you wont get all search results or will get timeouts from the peers. It really depends on your use case. Typically, indexers should be close to the SH. Remote sites should have aggregated HF instances that collect and hold the splunk feeds until bandwidth is available.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this means, you would recommend having one SH, multiple IDX (both of which are deployed in the office) and remote sites all have HF instances?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
