Splunk SOAR (f.k.a. Phantom)

Phantom Runner number of suggestions

PwC-Kimmy
Explorer

Our Phantom's DECIDED process often crashes for performance reasons.

We suspect this is caused by the low number of runners.

PwC-Kimmy_0-1621418469617.png

So if phantom server is 16 cores 256GB of memory, how many Runners should we set here?

Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@PwC-Kimmy I don't think there is a direct mapping to resource vs runners. It's more of a incremental implement and check.

The Docs about the runners states the below which I think is relevant:

Increase the number of runners by one, or one for each python environment and measure performance before adding additional runners. Repeat this until you either achieve the performance gains desired, reach the maximum number of runners for each python environment, or encounter resource limits.

When you increase the number of Python runners you can see a decrease in the length of time it takes to complete a playbook. Many deployments can expect to see gains by adding between one and four more of each type of Python runner, with gains from adding additional Python runners tapering off after a total of five of each Python runner type.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.