Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I trend resource consumption of realtime (scheduled) searches?

Lowell
Super Champion
‎02-25-2014 02:02 PM

Any suggestions on techniques (or KPIs) for trending realtime searches within a Splunk environment?

I'm doing some simple daily trend analysis on all the (non-realtime) scheduled searches by looking at run_time as reported by the scheduler.log, but that value isn't helpful for realtime searches since realtime searches never really stop. For historic searches, I capture median run_time, total run_time, total events/results returned, and events scanned (to evaluate which searches are hitting the disk the most). All stats are stored in a summary index.

My aim in trending this information is to establish a long-term baseline to identify search performance changes and track the biggest resource consumers.

Any ideas on how to do something similar for real-time searches?

Reply

MuS
SplunkTrust
SplunkTrust
‎02-26-2014 06:11 AM

Hi Lowell,

running a REST search for your rt search brings a lot of different performance counters and information regarding eventCount and diskUsage.
My rt search is something like this eventtype="x-base-check" | ... and I find the information about this search via REST like this:

| rest /services/search/jobs | search eventSearch="*base-check*" isRealTimeSearch="1"

I don't know if this is useful to you or not, but this is what I use to get performance information related to real-time searches.

cheers, MuS

Reply

Lowell
Super Champion
‎02-28-2014 11:41 AM

I thought about a rest-based approach, but didn't think it had enough info, and I was hoping to capture performance deltas rather than lifetime stats. But after looking more, I think this probably is the best option. So I've setup a persist a snapshot (summary index) every 15 minutes. I'll create a daily summary of the data for long-term analysis. This does 2 things I hadn't initially anticipated: (1) it allows me to capture long-running non-scheduled searches, and (2) associates the searches with a UI view. Thanks MuS! I may post my full solution once I get everything working.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...