Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

One search job, one thread?

nickcode
Explorer
‎05-17-2013 04:49 AM

My deployment is: 1 forwarder + 2 indexers + 1 search head.
The forwarder has forwarded 50GB(about 100,000,000 events) to the two indexers;
When I launch a search like "sourcetype=xxx" from search head, I find the search performance really quite disappointing. Only 10,000 events can be scanned per second! That's to say, it will take about 3 hours to finish scaning all the events!
Each of my indexers has 24 cpus. And each time I launch a search from search head, only one cpu in each indexer is running about 100% while others keep free. It seems that one search job only works on one thread. That's quite a waste of my indexer' computing ability!
Are there any ways to config splunk to solve this problem?

0 Karma
Reply

nickcode
Explorer
‎05-17-2013 05:34 AM

Hm..Search heads distribute search requests across multiple indexers.
U can refer to http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Scaleyourdeployment

0 Karma
Reply

linu1988
Champion
‎05-17-2013 04:56 AM

As per my knowledge the indexer does only indexing, the search head does the searching. The search performance depends on the search head's capacity. If the performance is slower from your expectations, please check the running jobs and scheduled searches in your search head. That should indicate the cause of your performance degradation. And also please check the role under which you are running the searches too.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-17-2013 04:55 AM

The number of events scanned per second for one search usually is depending on your I/O rather than the number or speed of the CPUs.

As for your search itself, as long as you don't define any more specific filters splunk has to load 50GB off the disks and shove them towards the search head... that's a lot of work, what are you trying to find with the search?

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-17-2013 09:54 AM

If you specify other keys splunk will use those keys to narrow down what needs to be looked at in the first place, that's what indexing data is for.

As a simple example, looking for sourcetype=x error will only consider events that contain the word error from that sourcetype, potentially cutting the amount of data that needs to be read from disk by a huge factor.

Personally, I see no point in specifying a query that loads and lists 50GB of data, but then I don't know what you're trying to achieve...

0 Karma
Reply

nickcode
Explorer
‎05-17-2013 05:25 AM

And my I/O is not the bottleneck the iostat shows..

0 Karma
Reply

nickcode
Explorer
‎05-17-2013 05:23 AM

If I change the search to "sourcetype=xxx key1=value1 AND key2=value2", indexers will also scan all the events since splunk only indexes events by timestamp, isn't it?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...