Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Which resources are affecting Splunk Enterprise Data Pipeline?

rbakeredfi
Explorer
‎03-08-2024 06:09 AM

When the index pipeline begins backing up at any stage, which resources are responsible for the bottleneck. Obviously, once backed up the problem will overflow into other areas but is there a "rule" or anything that says if the backup is at the Parsing Pipeline then the storage IO is too low,  Merging Pipeline then the CPU is too low,  Typing Pipeline the memory is too low, or Index Pipeline it's network bandwidth, etc. I am specifically looking for info regarding a Heavy Forwarder but any help would be appreciated.

*It's not as bad as the picture makes it seem, just posting for visual*

rbakeredfi_0-1709906810530.png

 

Labels (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-08-2024 07:07 AM

Hi @rbakeredfi,

are you speaking of an Indexer or an Heavy Forwarder?

Have you done a correct assignemt of resources? how many CPUs have you on this server?

If you're speaking of an Indexer, have you a performant disk: at least 800 IOPS (better 1200)?

Ciao.

Giuseppe

0 Karma
Reply

rbakeredfi
Explorer
‎03-08-2024 07:50 AM

I am looking for more of a generic mapping of resources to parts of the pipeline.

However, this specific case is regarding a HF.

Machine NameMachine CPU Cores (Physical / Virtual)Physical Memory Capacity (MB)Operating SystemArchitecture
redacted16 / 32131020Windowsx64
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-08-2024 07:56 AM

Hi @rbakeredfi,

forgetting for a moment the use of Windows that I'd avoid in production systems!

how many logs this HF must manage?

are there many syslogs? if yes how do you input them using Splunk inputs or an external rsyslog server?

Are you sure to have a performant network between the HF and the Indexers?

are Indexers overloaded or not?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...