- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to know what is the limit on the number of real time searches for the following H/W and user count configurations. (Strictly Not compromising on the performance)
- 20 dashboards/charts with 15 to 20 concurrent users.
- SearchHead has 4 CPUs, 4GB RAM and 22GB disk space.
- Indexer has 4CPUs, 4GB RAM and 400GB disk space.
- Approximate data volume is 50GB per day.
We would like to enable all 20 dashboards/charts based on real time searches.
Any other suggestions to provide real time monitoring using 20 charts for 20 users for the above mentioned H/W configuration would be helpful.
Thanks
Strive
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Performance depends on comparative load of indexer/search head and how your searches are designed. General recommendations you could find below:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Realtimeperformanceandlimitations
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Drainy, We have scheduled saved searches running on 5 minute windows to create summary indexes. By the time the data is summarized and indexed it is somewhere close to 8 minutes. Having said that, this wont give user the real time monitoring since there is delay. I would like user to see the data in charts within 2 minutes of data flow into forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd also comment that realtime searches may not be what you need here, you may find that running scheduled searches on 5 minute windows solves whatever particular problem you have. Could you elaborate on the use-case for all real-time searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see. If you want 400 real-time searches going, even simple ones, you will need more hardware.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response. Its the latter part of your question.
We are analyzing how to get best out of our H/W and how we can optimize our queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rule of thumb is one core per real time search that is running concurrently.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remark, one important thing is to use saved searches for all your panels, (not inline) that way if multiple users are opening the same dashboard the will reuse the existing results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Performance depends on comparative load of indexer/search head and how your searches are designed. General recommendations you could find below:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Realtimeperformanceandlimitations
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This will get us going on our analysis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Real-time searches are not created equal, it very much depends on what you're doing.
Additionally, what does "20 charts for 20 users" mean? Each user has its own chart, or does every user look at every chart all the time? If the latter, you likely need more oomph do run those 400 charts.