How to set/gather Performance benchmark for splunk...

xbbj3nj · ‎08-18-2017

Assuming that Splunk is installed as per the recommended reference architecture and hardware, then based on real-world performance in other customers what are the Splunk benchmarks for the following metrics (assuming 5-10 GB data ingestion per day)

- Latency  [i.e., how long would it take from the point an event is generated to the time it is available for searching / alerting]
- Search query response times [i.e., what would be the typical range of wait times before the search result is available]
- Data reliability [i.e., what is typically the percentage of data transmitted from source systems that is successfully indexed]
- Data integrity [i,e search results should be uniform , it should not change for the same time range when executed later]

Is there any standard numbers given offcially by splunk when their standard infra requirements is followed ?

adonio · ‎08-18-2017

here is a non complete answer.
as far as i know, there are no documented benchmarks as there are many variables. as for your points:
1. depends on how long it takes it to arrive to the indexer, network latency, other metrics, etc. you can measure it by comparing the _time field (time of event) to _indextime field (time when event was indexed)
2. Search Query, this is really depends on your search. it also depends on the load the Search Head is under.
3. Data reliability, depends how you bring data in, TCP, UDP, API call etc. check answers here regarding "how can i really know all my events are in splunk?"
4. this is very accurate, for the same time range and search query, you will recive the exact same results.
hope it helps

How to set/gather Performance benchmark for splunk infrastructure

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!