Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for "high performance Splunk"

Jason
Motivator
‎11-05-2010 02:51 PM

A client is looking for advice on tuning splunk for what they call "high performance" - defined as minimizing cpu, network transfer, disk IO.

I have been under the impression that the defaults are some of the best settings for general use, and I know the limits.conf maxKBps value will limit network traffic emitted from a forwarder.

Are there any other tunable settings you use to optimize CPU or disk use?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎11-05-2010 11:58 PM

If you are talking about the indexer then I think you are mixing two ideas here.
The first one is being HIGH SPLUNK PERFORMANCE, that is, Splunk works fast, Splunk indexes fast, Splunk searches fast, Splunk does everything fast. If this is what you want, then you need Lots of CPU Power, Lots of RAM, FAST Disk IO and FAST network. And more importantly, you want all of the above because you want Splunk to USE all that power.

If you want splunk not to use PC resources, then do not index too much data, do not run heavy and dense searches, do not run realtime searches, do not allow more then one user at a time, do not do regex extractions while indexing etc..etc..

The idea here is, it really depends on the load you want to put on splunk. If you want Splunk to do heavy work, then you should be willing to allow it and enable it to do so with good hardware.

View solution in original post

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎11-05-2010 11:58 PM

If you are talking about the indexer then I think you are mixing two ideas here.
The first one is being HIGH SPLUNK PERFORMANCE, that is, Splunk works fast, Splunk indexes fast, Splunk searches fast, Splunk does everything fast. If this is what you want, then you need Lots of CPU Power, Lots of RAM, FAST Disk IO and FAST network. And more importantly, you want all of the above because you want Splunk to USE all that power.

If you want splunk not to use PC resources, then do not index too much data, do not run heavy and dense searches, do not run realtime searches, do not allow more then one user at a time, do not do regex extractions while indexing etc..etc..

The idea here is, it really depends on the load you want to put on splunk. If you want Splunk to do heavy work, then you should be willing to allow it and enable it to do so with good hardware.

Reply
Solved! Jump to solution

rotten
Communicator
‎11-05-2010 07:47 PM

Are you talking about minimizing the forwarder footprint, or maximizing the Indexer performance?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...