Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CPU Cores assigned to Index Pipeline

edoardo_vicendo
Builder
‎10-20-2021 10:34 AM

Hello,

In our environment we have Splunk HF with 2 parallel Ingestion Pipelines.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Capacity/Parallelization#Index_parallelization

One of the aim of those Splunk HF is to offload the Splunk Indexer on parsing Pipeline, Merging Pipeline and Typing Pipeline. Due to that the data coming from Splunk HF are already "processed" and our Indexer are mostly processing them only in the Index Pipeline.

https://wiki.splunk.com/Community:HowIndexingWorks

On the Indexers we only have 1 Ingestion Pipeline, the CPU Cores used for indexing are typically 4-6.

Does our Indexers are taking advantage using pretty much all the 4-6 CPU Cores for the Index Pipeline only OR they are "wasted" on the other mostly idle pipelines?

Thanks a lot,
Edoardo

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2021 03:00 PM

How many source systems, HFs and indexers you have? Probably more interesting is how well your events are distributed over indexers than how well those cores/pipelines are used in any particular moment. Here is excellent tools to check this https://github.com/silkyrich/cluster_health_tools.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...