Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CPU Cores assigned to Index Pipeline

edoardo_vicendo
Builder
‎10-20-2021 10:34 AM

Hello,

In our environment we have Splunk HF with 2 parallel Ingestion Pipelines.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Capacity/Parallelization#Index_parallelization

One of the aim of those Splunk HF is to offload the Splunk Indexer on parsing Pipeline, Merging Pipeline and Typing Pipeline. Due to that the data coming from Splunk HF are already "processed" and our Indexer are mostly processing them only in the Index Pipeline.

https://wiki.splunk.com/Community:HowIndexingWorks

On the Indexers we only have 1 Ingestion Pipeline, the CPU Cores used for indexing are typically 4-6.

Does our Indexers are taking advantage using pretty much all the 4-6 CPU Cores for the Index Pipeline only OR they are "wasted" on the other mostly idle pipelines?

Thanks a lot,
Edoardo

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2021 03:00 PM

How many source systems, HFs and indexers you have? Probably more interesting is how well your events are distributed over indexers than how well those cores/pipelines are used in any particular moment. Here is excellent tools to check this https://github.com/silkyrich/cluster_health_tools.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...