Solved: Re: Limit on the number of realtime searches

strive · ‎01-22-2013

Hi,

I would like to know what is the limit on the number of real time searches for the following H/W and user count configurations. (Strictly Not compromising on the performance)

20 dashboards/charts with 15 to 20 concurrent users.
SearchHead has 4 CPUs, 4GB RAM and 22GB disk space.
Indexer has 4CPUs, 4GB RAM and 400GB disk space.
Approximate data volume is 50GB per day.

We would like to enable all 20 dashboards/charts based on real time searches.

Any other suggestions to provide real time monitoring using 20 charts for 20 users for the above mentioned H/W configuration would be helpful.

Thanks
Strive

EMinaeva1 · ‎01-23-2013

Performance depends on comparative load of indexer/search head and how your searches are designed. General recommendations you could find below:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Realtimeperformanceandlimitations

View solution in original post

strive · ‎01-28-2013

Hi Drainy, We have scheduled saved searches running on 5 minute windows to create summary indexes. By the time the data is summarized and indexed it is somewhere close to 8 minutes. Having said that, this wont give user the real time monitoring since there is delay. I would like user to see the data in charts within 2 minutes of data flow into forwarder.

Drainy · ‎01-27-2013

I'd also comment that realtime searches may not be what you need here, you may find that running scheduled searches on 5 minute windows solves whatever particular problem you have. Could you elaborate on the use-case for all real-time searches?

martin_mueller · ‎01-27-2013

I see. If you want 400 real-time searches going, even simple ones, you will need more hardware.

strive · ‎01-27-2013

Thanks for your response. Its the latter part of your question.
We are analyzing how to get best out of our H/W and how we can optimize our queries.

gfuente · ‎01-23-2013

The rule of thumb is one core per real time search that is running concurrently.

Regards

yannK · ‎01-28-2013

Remark, one important thing is to use saved searches for all your panels, (not inline) that way if multiple users are opening the same dashboard the will reuse the existing results.

EMinaeva1 · ‎01-23-2013

Performance depends on comparative load of indexer/search head and how your searches are designed. General recommendations you could find below:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Realtimeperformanceandlimitations

strive · ‎01-27-2013

Thank you. This will get us going on our analysis.

martin_mueller · ‎01-23-2013

Real-time searches are not created equal, it very much depends on what you're doing.

Additionally, what does "20 charts for 20 users" mean? Each user has its own chart, or does every user look at every chart all the time? If the latter, you likely need more oomph do run those 400 charts.

Limit on the number of realtime searches

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?