Splunk Search

About real time search

yutaka1005
Builder

I want to know about CPU occupation when doing a real-time search.

If I build Splunk in a standalone way, and I configure a real-time search, I think that one of cpu core will be occupied.

But which server's cpu core is occupied by real-time search when configuring distributed search like indexer clustering?
will only cpu core of the search head be occupied? Or, because it is a distributed search, will cpu core of each search peer also be occupied?

Also, if I configured search head clustering, will cpu core of all members be occupied?

I am planning to create large scale configuration for personal use, and planning configure alerts using real time search (rolling window) in the environment, so I want to know how to use cpu core.

I appreciate if someone tell me about it.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

In a distributed real-time search, one core for each peer is occupied, but only one core on one search head is used.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In a distributed real-time search, one core for each peer is occupied, but only one core on one search head is used.

---
If this reply helps you, Karma would be appreciated.
0 Karma

yutaka1005
Builder

Thank you for answer.

you mean that only one core on one search head is used if search is processed in search head clustering?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, that is what I meant.

---
If this reply helps you, Karma would be appreciated.
0 Karma

yutaka1005
Builder

Thank you for answer!

I understood it!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...