Monitoring Splunk

Does the union command affect CPU utilization?

kind7776
New Member

Hi,

[architecture]
One search header, several indexers, one LB forwarder

[Question]
* If one search statement is returned, the search starts from one indexer. (Using CPU 1 core)

  • When using the Union command in the search header, does the search run in one indexer? (Use CPU 1 core?)

  • If not, does one search statement run on multiple indexers? (Using multiple CPUs?)

  • The point is, when using the Union command, does one search statement run on multiple indexers?

Thanks.

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do post your search to get a more detailed answer.

In general, the streaming portion of searches (e.g. index=foo | eval field = "bar") will run on all indexers in parallel.
The same holds true for union'd searches, e.g. | union [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"] - which is the first example from the union docs at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/union
Every indexer will run the searches in parallel, and return results to the search head.

For most cases, I'd recommend using OR instead of union: index=foo OR index=bar | ... because you also get parallel execution on all indexers for the streaming part but don't run into limits of the union command.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you have spare cores, consider enabling batch mode search parallelization: http://docs.splunk.com/Documentation/Splunk/7.1.0/Capacity/Parallelization#Batch_mode_search_paralle...

That will allow all batch mode eligible searches to search multiple non-hot buckets at once.

As for append vs union, I'd use neither in most cases - instead OR your data sets together in one big search.

0 Karma

kind7776
New Member

Sorry, I seem to have confused the question.
For example, using the append command, you can physically query one CPU core (one indexer)
If you have multiple indexers, I wonder if you use the union command to physically search the CPU cour using several indexers (multiple indexers).

  • I understand that append uses one cpu core, and union uses multiple cpu cores, so it is faster when using the union command.

I wonder if the above is true.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...