Splunk Search

Limit on the number of realtime searches

strive
Influencer

Hi,

I would like to know what is the limit on the number of real time searches for the following H/W and user count configurations. (Strictly Not compromising on the performance)

  1. 20 dashboards/charts with 15 to 20 concurrent users.
  2. SearchHead has 4 CPUs, 4GB RAM and 22GB disk space.
  3. Indexer has 4CPUs, 4GB RAM and 400GB disk space.
  4. Approximate data volume is 50GB per day.

We would like to enable all 20 dashboards/charts based on real time searches.

Any other suggestions to provide real time monitoring using 20 charts for 20 users for the above mentioned H/W configuration would be helpful.

Thanks
Strive

Tags (1)
1 Solution

EMinaeva1
Explorer

Performance depends on comparative load of indexer/search head and how your searches are designed. General recommendations you could find below:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Realtimeperformanceandlimitations

View solution in original post

0 Karma

strive
Influencer

Hi Drainy, We have scheduled saved searches running on 5 minute windows to create summary indexes. By the time the data is summarized and indexed it is somewhere close to 8 minutes. Having said that, this wont give user the real time monitoring since there is delay. I would like user to see the data in charts within 2 minutes of data flow into forwarder.

0 Karma

Drainy
Champion

I'd also comment that realtime searches may not be what you need here, you may find that running scheduled searches on 5 minute windows solves whatever particular problem you have. Could you elaborate on the use-case for all real-time searches?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see. If you want 400 real-time searches going, even simple ones, you will need more hardware.

0 Karma

strive
Influencer

Thanks for your response. Its the latter part of your question.
We are analyzing how to get best out of our H/W and how we can optimize our queries.

0 Karma

gfuente
Motivator

The rule of thumb is one core per real time search that is running concurrently.

Regards

0 Karma

yannK
Splunk Employee
Splunk Employee

Remark, one important thing is to use saved searches for all your panels, (not inline) that way if multiple users are opening the same dashboard the will reuse the existing results.

EMinaeva1
Explorer

Performance depends on comparative load of indexer/search head and how your searches are designed. General recommendations you could find below:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Realtimeperformanceandlimitations

0 Karma

strive
Influencer

Thank you. This will get us going on our analysis.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Real-time searches are not created equal, it very much depends on what you're doing.

Additionally, what does "20 charts for 20 users" mean? Each user has its own chart, or does every user look at every chart all the time? If the latter, you likely need more oomph do run those 400 charts.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...