Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to increase the maximum number of real-time searches

Bliide
Path Finder
‎09-15-2015 08:01 AM

I am trying to do a stress test on a new server in a fresh Splunk environment. I would like to increase the number of real-time searches allowed and see how much of a performance hit the server takes. I know I need to edit limits.conf, but I am not certain what stanza to add and what values to use.

Anyone with experience in tweaking limits.conf is what I am looking for. Is it best to start off by just adding a search stanza with: max_rt_search_multiplier = 2

or is it better to add:

max_searches_per_cpu = 2 ?

Our goal to is see how many concurrent real-time searches we can run before we start having a substantial performance hit.

0 Karma
Reply

steveyz
Splunk Employee
Splunk Employee
‎09-15-2015 02:40 PM

changing the max_rt_search_multiplier is the way to go. changing max_searches_per_cpu and base_max_searches will change also affect the real-time limit, but will alter the limit for historical searches too.

max real-time searches = max_rt_search_multiplier x (max_searches_per_cpu * + base_max_searches)

And to address woodcock's comment, there is a setting that you can tweak which will allow you to optionally trade performance for latency. It will run real-time searches with higher latency but generally use far less system resources. The setting is under

[realtime]
indexed_realtime_use_by_default = true/false (defaults to false. set to true for less resource usage but higher latency)

Reply

woodcock
Esteemed Legend
‎09-15-2015 09:19 AM

I can tell you that answer: ONE! Unless you have designated your entire cluster to the purpose of running Real-Time Searches, don't run any.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...