Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I use search head to enhance searching speed?

Raymond2T
Path Finder
‎03-01-2023 04:23 AM

I am newbie in splunk.

I would like to enhance the searching speed.

I am using a splunk instance in a VM (Master) that indexed different data (more than 10 imdexes at this moment).

Can I create more search head (VM- SH 1 and SH 2) to speed up the search and how can I achieve it?

Thank you 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-01-2023 07:00 AM

Hi @Raymond2T,

as @richgalloway said, adding a new search Head could be useful to have fastest searches only if you have too many concurrent searches and your Indexers are able to support them.

If you want fastest searches, you have three solutions that can also be used at the same time and obviously the best solution is to apply all of them:

  • using more performant disks: Splunk requires at least 800 IOPS for the data storage disks, check if your IOPS is compliant with this requirement: if not use another storage, if yes, use a more performant storage (es. SSD);
  • adding more resources to your Indexers, especially CPUs: remember that every search (and every subsearch) takes a CPU;
  • optimize your scheduled searches:
    • avoiding real time searches (a search takes a cpu and releases it when finishes),
    • scheduling your scheduled searches at different times,
    • avoiding commands as join or transaction,
    • limiting the time frames,
    • using accelarations.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-01-2023 07:00 AM

Hi @Raymond2T,

as @richgalloway said, adding a new search Head could be useful to have fastest searches only if you have too many concurrent searches and your Indexers are able to support them.

If you want fastest searches, you have three solutions that can also be used at the same time and obviously the best solution is to apply all of them:

  • using more performant disks: Splunk requires at least 800 IOPS for the data storage disks, check if your IOPS is compliant with this requirement: if not use another storage, if yes, use a more performant storage (es. SSD);
  • adding more resources to your Indexers, especially CPUs: remember that every search (and every subsearch) takes a CPU;
  • optimize your scheduled searches:
    • avoiding real time searches (a search takes a cpu and releases it when finishes),
    • scheduling your scheduled searches at different times,
    • avoiding commands as join or transaction,
    • limiting the time frames,
    • using accelarations.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Raymond2T
Path Finder
‎03-02-2023 05:57 PM

About accelaration , how can I do it ?
On the other hand, can I use GPU to improve the performance?

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2023 05:48 AM

Splunk does not support GPUs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-02-2023 11:43 PM

Hi @Raymond2T,

adding CPUs you improve the available resources, so you reduce the queues in searches executions.

About accelerations see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Aboutsummaryindexing 

In addition you could use Data Models (eventually accelerated) which further improves performance (https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Aboutdatamodels).

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2023 05:59 AM

More search heads will not enhance searching speed.  Additional SHs provide capacity to run more searches.

Search heads don't actually perform searches - they coordinate the actions of indexers, which do the real searching.  To enhance search performance, add more indexers then redistribute your data among them.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...