Knowledge Management

parallel reduce search processing - How do i know it is working? Do i have to use "Redistribute"?

robertlynch2020
Motivator

Hi

I have configured the below
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Parallelreduceoverview

Am i right to say i have to use the command Redistribute in my search to use this or is this something extra for high-cardinality searches?

But i am not seeing an performance decrease, so how can i check it is working?
I have one search head and 2 indexers (non-Clustered)

I have set the following on the indexers

server.conf
[parallelreduce]
pass4SymmKey = $7$qkfkqE35XUbVp9oAqD2M+bBQVTufnczdRnyIcnuQrbXhAV/u+7QyBaXR

 limits.conf
    [parallelreduce]
    reducers=10.25.5.169:5089, 10.25.53.57:5089

I have added in both indexers here, i am assuming i need to add in it self?

My user can run the command
run_multi_phased_searches
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Setupparallelreduce

Then i run the command and add redistribute to the command (If i understand correctly this is what we are to do!!) - But below does not work.

    | tstats summariesonly=true      chunk_size=1000000000 max(MXTIMING.Elapsed) AS Elapsed  FROM datamodel=MXTIMING_V9 WHERE 
    host=Luas_TestCampaign_PI9_2 
GROUPBY _time MXTIMING.Machine_Name MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Date MXTIMING.Time MXTIMING.MXTIMING_TYPE_DM source MXTIMING.UserName2 MXTIMING.source_path MXTIMING.Command3 MXTIMING.Context3 span=1s | redistribute by _time

So the errors i am getting is below - But i don't understand i have tried to put redistribute in multiple parts of the search

Redistribute Processor: Cannot redistribute events that have been aggregated at the search head. Place the redistribute command before transforming commands that do not have a 'by' clause.

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Redistribute

Any help would be great - or how can i check what log

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...