Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does the union command affect CPU utilization?

kind7776
New Member
‎04-29-2018 11:24 PM

Hi,

[architecture]
One search header, several indexers, one LB forwarder

[Question]
* If one search statement is returned, the search starts from one indexer. (Using CPU 1 core)

  • When using the Union command in the search header, does the search run in one indexer? (Use CPU 1 core?)

  • If not, does one search statement run on multiple indexers? (Using multiple CPUs?)

  • The point is, when using the Union command, does one search statement run on multiple indexers?

Thanks.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-30-2018 03:08 AM

Do post your search to get a more detailed answer.

In general, the streaming portion of searches (e.g. index=foo | eval field = "bar") will run on all indexers in parallel.
The same holds true for union'd searches, e.g. | union [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"] - which is the first example from the union docs at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/union
Every indexer will run the searches in parallel, and return results to the search head.

For most cases, I'd recommend using OR instead of union: index=foo OR index=bar | ... because you also get parallel execution on all indexers for the streaming part but don't run into limits of the union command.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-10-2018 12:08 PM

If you have spare cores, consider enabling batch mode search parallelization: http://docs.splunk.com/Documentation/Splunk/7.1.0/Capacity/Parallelization#Batch_mode_search_paralle...

That will allow all batch mode eligible searches to search multiple non-hot buckets at once.

As for append vs union, I'd use neither in most cases - instead OR your data sets together in one big search.

0 Karma
Reply

kind7776
New Member
‎05-02-2018 06:31 PM

Sorry, I seem to have confused the question.
For example, using the append command, you can physically query one CPU core (one indexer)
If you have multiple indexers, I wonder if you use the union command to physically search the CPU cour using several indexers (multiple indexers).

  • I understand that append uses one cpu core, and union uses multiple cpu cores, so it is faster when using the union command.

I wonder if the above is true.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...