Splunk Search

How to set/gather Performance benchmark for splunk infrastructure

Path Finder

Assuming that Splunk is installed as per the recommended reference architecture and hardware, then based on real-world performance in other customers what are the Splunk benchmarks for the following metrics (assuming 5-10 GB data ingestion per day)

- Latency  [i.e., how long would it take from the point an event is generated to the time it is available for searching / alerting]
- Search query response times [i.e., what would be the typical range of wait times before the search result is available]
- Data reliability [i.e., what is typically the percentage of data transmitted from source systems that is successfully indexed]
- Data integrity [i,e search results should be uniform , it should not change for the same time range when executed later]

Is there any standard numbers given offcially by splunk when their standard infra requirements is followed ?

0 Karma

Ultra Champion

here is a non complete answer.
as far as i know, there are no documented benchmarks as there are many variables. as for your points:
1. depends on how long it takes it to arrive to the indexer, network latency, other metrics, etc. you can measure it by comparing the _time field (time of event) to _indextime field (time when event was indexed)
2. Search Query, this is really depends on your search. it also depends on the load the Search Head is under.
3. Data reliability, depends how you bring data in, TCP, UDP, API call etc. check answers here regarding "how can i really know all my events are in splunk?"
4. this is very accurate, for the same time range and search query, you will recive the exact same results.
hope it helps

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...