Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I use search head to enhance searching speed?

Raymond2T
Path Finder
‎03-01-2023 04:23 AM

I am newbie in splunk.

I would like to enhance the searching speed.

I am using a splunk instance in a VM (Master) that indexed different data (more than 10 imdexes at this moment).

Can I create more search head (VM- SH 1 and SH 2) to speed up the search and how can I achieve it?

Thank you 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-01-2023 07:00 AM

Hi @Raymond2T,

as @richgalloway said, adding a new search Head could be useful to have fastest searches only if you have too many concurrent searches and your Indexers are able to support them.

If you want fastest searches, you have three solutions that can also be used at the same time and obviously the best solution is to apply all of them:

  • using more performant disks: Splunk requires at least 800 IOPS for the data storage disks, check if your IOPS is compliant with this requirement: if not use another storage, if yes, use a more performant storage (es. SSD);
  • adding more resources to your Indexers, especially CPUs: remember that every search (and every subsearch) takes a CPU;
  • optimize your scheduled searches:
    • avoiding real time searches (a search takes a cpu and releases it when finishes),
    • scheduling your scheduled searches at different times,
    • avoiding commands as join or transaction,
    • limiting the time frames,
    • using accelarations.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-01-2023 07:00 AM

Hi @Raymond2T,

as @richgalloway said, adding a new search Head could be useful to have fastest searches only if you have too many concurrent searches and your Indexers are able to support them.

If you want fastest searches, you have three solutions that can also be used at the same time and obviously the best solution is to apply all of them:

  • using more performant disks: Splunk requires at least 800 IOPS for the data storage disks, check if your IOPS is compliant with this requirement: if not use another storage, if yes, use a more performant storage (es. SSD);
  • adding more resources to your Indexers, especially CPUs: remember that every search (and every subsearch) takes a CPU;
  • optimize your scheduled searches:
    • avoiding real time searches (a search takes a cpu and releases it when finishes),
    • scheduling your scheduled searches at different times,
    • avoiding commands as join or transaction,
    • limiting the time frames,
    • using accelarations.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Raymond2T
Path Finder
‎03-02-2023 05:57 PM

About accelaration , how can I do it ?
On the other hand, can I use GPU to improve the performance?

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2023 05:48 AM

Splunk does not support GPUs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-02-2023 11:43 PM

Hi @Raymond2T,

adding CPUs you improve the available resources, so you reduce the queues in searches executions.

About accelerations see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Aboutsummaryindexing 

In addition you could use Data Models (eventually accelerated) which further improves performance (https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Aboutdatamodels).

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2023 05:59 AM

More search heads will not enhance searching speed.  Additional SHs provide capacity to run more searches.

Search heads don't actually perform searches - they coordinate the actions of indexers, which do the real searching.  To enhance search performance, add more indexers then redistribute your data among them.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top