Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CPU Cores assigned to Index Pipeline

edoardo_vicendo
Contributor
‎10-20-2021 10:34 AM

Hello,

In our environment we have Splunk HF with 2 parallel Ingestion Pipelines.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Capacity/Parallelization#Index_parallelization

One of the aim of those Splunk HF is to offload the Splunk Indexer on parsing Pipeline, Merging Pipeline and Typing Pipeline. Due to that the data coming from Splunk HF are already "processed" and our Indexer are mostly processing them only in the Index Pipeline.

https://wiki.splunk.com/Community:HowIndexingWorks

On the Indexers we only have 1 Ingestion Pipeline, the CPU Cores used for indexing are typically 4-6.

Does our Indexers are taking advantage using pretty much all the 4-6 CPU Cores for the Index Pipeline only OR they are "wasted" on the other mostly idle pipelines?

Thanks a lot,
Edoardo

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2021 03:00 PM

How many source systems, HFs and indexers you have? Probably more interesting is how well your events are distributed over indexers than how well those cores/pipelines are used in any particular moment. Here is excellent tools to check this https://github.com/silkyrich/cluster_health_tools.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...