There are many factors that could cause performance issues in your prod environment that wasn’t in the dev environment, production normally has more data and many other variables to that could cause issues.
Splunk is a workhorse, it needs CPU/Memory/Disk resources and other factors to be in place.
Things to consider
- Has the environment been sized according for production?
- Is the disk on fast type of disks SSD etc
- Are there lots of user’s run running the same search and for all time and at the same time?
- Do you have indexer clustering or is it Splunk All in One
The Add-ons (TA’s) normally provide parsing and other knowledge objects and potentially it could impact the environment with regex processing as an example. The Splunk apps on the other hand have searches and dashboards that could potentially impact with long running searches. But normally it’s down to the Splunk sizing or something based on the environment.
I don’t re-call a TA ever causing performance issues in the PROD environment, but it could happen I guess.
I suggest:
- Use the Monitoring Console for the production environment, this is a good place to start to check the performance issues. Check CPU/Memory on the SH and Indexers first.
- Check the Searches Run and Search Memory usage, using the MC.
- If you removed the TA does it improve and re-install, does it get bad again?
- If that all fails then perhaps look at logging a support call.
Monitoring Console
https://docs.splunk.com/Documentation/Splunk/9.2.1/DMC/DMCoverview
Splunk Sizing guide
https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Sizing_your_Splunk_architectu...
