Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Very high number of scheduled searches - what architecture?

bckq
Path Finder
‎04-25-2013 12:47 AM

I have indexing about 1GB data per day, but I have a lot of scheduler searchers. There are about 200 searches that runs every minute. Currently I have two indexers (8CPU and 24CPU) and one search head (24CPU). I noticed that search head is running slower and slower. Splunk instance on search head crashes few times a day and it must be restarted. I need to enlarge my architecture but I don't know in what direction should I go. Do you have any ideas?

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎04-25-2013 07:25 AM

there's a chapter in the Distributed Deployment Manual about how Splunk uses different types of resources, here's the topic about search performance:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Accommodatemanysimultaneoussearches

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...