Monitoring Splunk

Configuration to achieve better performance of Splunk


I want to carry out performance monitoring of Splunk. I came across this benchmark while browsing What was the configuration in config files like limits.conf and indexes.conf while carrying out these measurements? Were some parameters like memPoolMB or max_mem_usage_mb tuned to achieve better performance or were the set to their default configuration only?

0 Karma

Ultra Champion

The Reference hardware and sizing guides are based on not making any changes to limits.conf.

Adjustments to limits tends to be tuning around large event types, lookups or other environmental peculiarities you have in your environment. the default limits.conf should be optimized for a 'standard' Splunk deployment.

The same is true for indexes.conf, with some subtle nuances.

The reference spec includes storage with a defined rate of IOPS.
You should configure your hot/warm data to exist on your fastest storage device, as you want to be able to read/write as quickly as possible.
Your use case for data life-cycle management dictates after how old(big) your warm data gets before it gets moved to cold.
If you have two tiers of storage (ssd & spinning disk) there are advantages to separating the index paths, putting cold on the slower disk, but the reference indexing capabilities are primarily concerned with the indexers ability (and the IOPS) taken to write hot/warm.

If my comment helps, please give it a thumbs up!
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.