Splunk as Multi-user system

andrey2007 · ‎12-26-2013

Hello, all!
Shortly describe my problem.
We need that near 50 users can use Splunk at the same moment. Is it possible say on server like this: total 16 cores and 24 GB RAM (same server for indexing and searching)?
Or may be you have experience in using Splunk in cases like my , please describe you hardware.

jtrucks · ‎01-02-2014

We have systems with dozens of largely inactive users on similar size machines, but the heavy users tend to cluster on the indexer with 48G RAM and 24 cores. Based on Splunk information, as linu1988 points out, you should count on 1 core per active search during the life of that search and about half a GB of RAM - plus you'll need some level of overhead for the indexing volume. So, with 16 cores, you will easily be able to run a couple dozen concurrent searches if the indexing load isn't that high. However, this includes all scheduled searches/alerts, interactive, background, scripted, and dashboard searches.

My advice is to try it and see what your load ends up being. If you hit resources issues for doing searches, fire up a search head VM to run interactive stuff or to off-load saved search/alert functions. You could have a search head you use just for certain dashboards, for example.

--
Jesse Trucks
Minister of Magic

linu1988 · ‎12-26-2013

Hello,
As you know your requirements better than anyone,the configuration you have should be calculated with the below formulas

 base_max_searches = <int>
* A constant to add to the maximum number of searches, computed as a multiplier of the CPUs.
* Defaults to 6

max_searches_per_cpu = <int>
* The maximum number of concurrent historical searches per CPU. The system-wide limit of 
historical searches is computed as: 
  max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
* Note: the maximum number of real-time searches is computed as: 
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Defaults to 1

max_rt_search_multiplier = <decimal number>
* A number by which the maximum number of historical searches is multiplied to determine the maximum
* number of concurrent real-time searches 
* Note: the maximum number of real-time searches is computed as: 
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Defaults to 1

Refer the document and see if you will be able to manage. All the search configurations are done on limits.conf

_http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Limitsconf

andrey2007 · ‎12-26-2013

Yes they need real-time. Every user will run his own serach.

linu1988 · ‎12-26-2013

Are the users need real time data or you can use saved searches just to show periodical data? If so the configuration should be fine

andrey2007 · ‎12-26-2013

Users use the same dashboard. There are 3 pulldown modules for choosing field values and final search which uses pulldown results. Size of my index near 800.000 events and it populates when nobody uses splunk.

linu1988 · ‎12-26-2013

Depends what are the searches being performed. If you have dashboards how are you populating data and how many panels contain searches. So when we consider 50 users it is quite possible to work with the above config with moderate usage. But as the search load/indexing goes up you may lag in some performance

Splunk as Multi-user system

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk