Solved: Re: About real time search

yutaka1005 · ‎09-03-2017

I want to know about CPU occupation when doing a real-time search.

If I build Splunk in a standalone way, and I configure a real-time search, I think that one of cpu core will be occupied.

But which server's cpu core is occupied by real-time search when configuring distributed search like indexer clustering?
will only cpu core of the search head be occupied? Or, because it is a distributed search, will cpu core of each search peer also be occupied?

Also, if I configured search head clustering, will cpu core of all members be occupied?

I am planning to create large scale configuration for personal use, and planning configure alerts using real time search (rolling window) in the environment, so I want to know how to use cpu core.

I appreciate if someone tell me about it.

richgalloway · ‎09-04-2017

In a distributed real-time search, one core for each peer is occupied, but only one core on one search head is used.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-04-2017

In a distributed real-time search, one core for each peer is occupied, but only one core on one search head is used.

---
If this reply helps you, Karma would be appreciated.

yutaka1005 · ‎09-05-2017

Thank you for answer.

you mean that only one core on one search head is used if search is processed in search head clustering?

richgalloway · ‎09-06-2017

Yes, that is what I meant.

---
If this reply helps you, Karma would be appreciated.

yutaka1005 · ‎09-06-2017

Thank you for answer!

I understood it!

About real time search

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform