Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can batch_search_max_pipeline increase on standalone server

ips_mandar
Builder
‎12-13-2020 07:10 AM

Hi,

I have standalone server which acting as search head and indexer . And the server is under utilized so I want to increase  batch_search_max_pipeline=2 which will also improve search performance as well.

I want to confirm before making changes that is it applicable this change on my standalone server. Or this change is applicable only for indexer cluster.
so can I make this change on my standalone server?

Thanks, 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 11:10 AM

Thanks for the information.

600GB/day is too much for a single indexer/HF.  Splunk recommends 100GB/day/indexer so, by that measure, you should have 6 indexers.

Why are you passing all of your data through a heavy forwarder?  Doing that actually slows indexing because of extra processing that has to be done.  Try to have as much of your data as possible go directly to an indexer.  Use a universal forwarder when that's not possible.  HFs are for special needs.

The batch_search_max_pipeline setting applies on indexers in a distributed environment.  That's why it has no effect on a standalone system.

---
If this reply helps you, Karma would be appreciated.
Reply

ips_mandar
Builder
‎12-14-2020 09:04 AM

@richgalloway Total data including hot/warm and cold data is 3TB for particular index and usually search run for last 14 days . and the searched index get data 100GB/day.
(I am talking about one specific index here and my environment has multiple index and total ingestion rate is 600GB/day which will grow in future)

server is not doing anything apart from splunk service. and splunk is not running high number of searches.
Regarding transforms i am using heavy forwarder where all the transformation will be happening.

as you said The batch_search_max_pipeline setting has no effect on standalone servers, so on which splunk environment it has effect.
Also is there any reason why it has no effect on standalone server.

Thanks for help.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2020 11:29 AM

Let's back up a step or three.

Tell us about your search performance.  Why do you want to improve it?  How is it not meeting expectations?  The server is underutilized so any search performance problems must lie elsewhere.

When you say "underutilized", which metrics are you looking at?

Have you looked into improving the performance of the search(es) in question?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ips_mandar
Builder
‎12-14-2020 06:18 AM

@richgalloway 
I have windows server with 35GB RAM, 16 core pprocessor and currently Memory usage is below 40% and I want to get search results faster rather than waiting few minutes to get results. And as per my understanding each search takes only one core per search even though multiple cores are not in use so I also want to utilize core for each search to get results faster.
I already looked to improve/optimize searches and also I am using summary indexes for long running dashboard queries.
So my question is can I increase batch_search_max_pipeline to 2 on my standalone server? will it work?

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 07:19 AM

The batch_search_max_pipeline setting has no effect on standalone servers.

A few minutes for a search on that type of system is a long time, but whether it's too long depends on how much data is being searched.  How large is the index being searched?  What is the time window being searched?

What else is the server doing?  Is it running a lot of other searches?  How much data is being ingested?  Are there a lot of transforms on the incoming data?

These questions will help us to understand why the searches are slow.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...