Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Which resources are affecting Splunk Enterprise Data Pipeline?

rbakeredfi
Explorer
‎03-08-2024 06:09 AM

When the index pipeline begins backing up at any stage, which resources are responsible for the bottleneck. Obviously, once backed up the problem will overflow into other areas but is there a "rule" or anything that says if the backup is at the Parsing Pipeline then the storage IO is too low,  Merging Pipeline then the CPU is too low,  Typing Pipeline the memory is too low, or Index Pipeline it's network bandwidth, etc. I am specifically looking for info regarding a Heavy Forwarder but any help would be appreciated.

*It's not as bad as the picture makes it seem, just posting for visual*

rbakeredfi_0-1709906810530.png

 

Labels (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-08-2024 07:07 AM

Hi @rbakeredfi,

are you speaking of an Indexer or an Heavy Forwarder?

Have you done a correct assignemt of resources? how many CPUs have you on this server?

If you're speaking of an Indexer, have you a performant disk: at least 800 IOPS (better 1200)?

Ciao.

Giuseppe

0 Karma
Reply

rbakeredfi
Explorer
‎03-08-2024 07:50 AM

I am looking for more of a generic mapping of resources to parts of the pipeline.

However, this specific case is regarding a HF.

Machine NameMachine CPU Cores (Physical / Virtual)Physical Memory Capacity (MB)Operating SystemArchitecture
redacted16 / 32131020Windowsx64
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-08-2024 07:56 AM

Hi @rbakeredfi,

forgetting for a moment the use of Windows that I'd avoid in production systems!

how many logs this HF must manage?

are there many syslogs? if yes how do you input them using Splunk inputs or an external rsyslog server?

Are you sure to have a performant network between the HF and the Indexers?

are Indexers overloaded or not?

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...