Splunk Enterprise Security

Splunk Enterprise Security: Is it better to enable Hyper-threading?

edoardo_vicendo
Contributor

Hello,

I am wondering if on a dedicated Search Head with Splunk Enterprise Security it is better or not to enable Hyper-threading.

Our server is a blade with a dedicated VM with 2x20 physical core CPU Intel Xeon 6148 + 96GB RAM (we can increase the RAM if necessary up to 256GB).

I guess with 40 physical cores searches could be faster, and with 80 virtual cores there will be more "space" to perform concurrent searches.

So better having 40 physical cores OR 80 virtual cores?

Is there any study showing pros and cons?

Thanks a lot,

Edoardo

Tags (1)
0 Karma
1 Solution

satyenshah
Path Finder

The guidance from Intel is to disable hyperthreading on searchheads for best performance.  On searchheads, single-thread performance is more helpful than core count.  On indexers, hyperthreading helps indexing but hurts searching.  So you can enable/disable it to optimize for one or the other.

View solution in original post

satyenshah
Path Finder

The guidance from Intel is to disable hyperthreading on searchheads for best performance.  On searchheads, single-thread performance is more helpful than core count.  On indexers, hyperthreading helps indexing but hurts searching.  So you can enable/disable it to optimize for one or the other.

edoardo_vicendo
Contributor

Thanks for your reply!

We have already followed the guide you provided and also the one listed here below.

By the way I opened an Idea called "Virtualization and Performance guide for deploying Splunk"

https://ideas.splunk.com/ideas/EID-I-1008

 

Here below some example of case-study we have followed:

 

https://core.vmware.com/resource/splunk-vmware-vsan

 

https://www.dell.com/community/s/vjauj58549/attachments/vjauj58549/storage-and-data-protection-wiki-...

 

https://www.delltechnologies.com/resources/en-us/asset/offering-overview-documents/products/storage-...

 

https://www.intel.com/content/dam/www/public/us/en/documents/reference-architectures/high-performanc...

 

0 Karma

edoardo_vicendo
Contributor

Coming back again on this.

I read different suggestions about enabling Hyper-threading on the Search Heads, but I am wondering about a configuration present in limits.conf:

Maximum # of Concurrent Searches per SH Instance:
– (max_searches_per_cpu x Logical # of CPUs) + base_max_searches

max_searches_per_cpu = <integer>
* The maximum number of concurrent historical searches for each CPU.
  The system-wide limit of historical searches is computed as:
  max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
* NOTE: The maximum number of real-time searches is computed as:
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Default: 1

Therefore if you do not enable Hyper-threading but you increase max_searches_per_cpu to 2 you are more or less obtaining the same result?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Enabling hyper-threading won't hurt and may help.  Try it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...