Monitoring Splunk

Does the union command affect CPU utilization?

New Member


One search header, several indexers, one LB forwarder

* If one search statement is returned, the search starts from one indexer. (Using CPU 1 core)

  • When using the Union command in the search header, does the search run in one indexer? (Use CPU 1 core?)

  • If not, does one search statement run on multiple indexers? (Using multiple CPUs?)

  • The point is, when using the Union command, does one search statement run on multiple indexers?


Tags (2)
0 Karma


Do post your search to get a more detailed answer.

In general, the streaming portion of searches (e.g. index=foo | eval field = "bar") will run on all indexers in parallel.
The same holds true for union'd searches, e.g. | union [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"] - which is the first example from the union docs at
Every indexer will run the searches in parallel, and return results to the search head.

For most cases, I'd recommend using OR instead of union: index=foo OR index=bar | ... because you also get parallel execution on all indexers for the streaming part but don't run into limits of the union command.

0 Karma


If you have spare cores, consider enabling batch mode search parallelization:

That will allow all batch mode eligible searches to search multiple non-hot buckets at once.

As for append vs union, I'd use neither in most cases - instead OR your data sets together in one big search.

0 Karma

New Member

Sorry, I seem to have confused the question.
For example, using the append command, you can physically query one CPU core (one indexer)
If you have multiple indexers, I wonder if you use the union command to physically search the CPU cour using several indexers (multiple indexers).

  • I understand that append uses one cpu core, and union uses multiple cpu cores, so it is faster when using the union command.

I wonder if the above is true.

0 Karma