Hi,
I hope all is well.
I am writting to ensure i am getting the correct picture on the SHC search:
Assumption:
3x search head with CPU: 32 cores.
max search per cpu = 2
For Real-time searches:
max_rt_searches = max_rt_search_multiplier x max_hist_searches
As per the above, we can conclude the below per each node:
Yes, the terminology here can be somewhat confusing. Splunk uses the term "real-time" in two different contexts when it comes to searching.
One thing is a real time search. It is a search which is done not against already indexed data but on the incoming data as it is ingested by Splunk. This type of search allocates one cpu on a search head running the search for the whole time the search is running and one cpu on each participating indexer. The other type of a search is a historical search which runs on data returned by indexers from the buckets residing on disk - already indexed data.
Another thing is the realtime schedule mode. This means that a run of a scheduled search will be attempted at the scheduled time but if there are no free search slots, Splunk will delay it for some time (if configuration of the search allows it) but if it still cannot find free slot to run it the search run will get skipped. The other scheduling mode is continuous which means that Splunk will try to run the search for a given time slot indefinitely until it finally can do so (I suppose there are some technical limits to that but that's the general idea). The caveat is that continuously scheduled searches have lower priority within the scheduler.
Guys,
Please read these articles carefully:
Kindly, from the below screenshots, we can find that there are some RT scheduled search are enabled by default by splunk itself, and use the indexed real-time, so can we create some real-time scheduled search so we can accomodate the RT pool?
No. If you turn on indexed real-time searches, it changes slightly the way real-time searches work. But it's still about real-time search, not about real-time schedule. (yes, I know it's confusing, I've already said so ;-))
Thank you, really appreciated!
Hi @0xAli ,
good for you, see next time!
let us know if we can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @0xAli ,
your settings seem to be correct, the only way to proceed is to analyze the load on your SHs using the Monitoring Consle, in this way you can see the health status of your system and eventually put some tuning action, e.g.:
Ciao.
Giuseppe
Thanks for your support, it's really appreciated!
Could you please clarify more on that point:
"avoid to use real-time searches and transforms them in scheduled searches,"
As from the calculated values, we have two separate pool, one for the historical scheduled search(35 - Summarization), and one for the RT-scheduled search(35), so the capacity of the RT will not affect the historical, and it's higher than historical (35 = Summarization + Historical scheduled search).
real-time searches meand ES detection + RT mode ?
scheduled searches means ES detection + Continous mode ?
Hi @0xAli ,
about first question:
in Splunk a search takes a CPU (more if you have also subsearches in the main search) until it will finish, so a RT search takes one or more CPUs for always, it's better to schedule a search so it will release the CPUs when finised.
About second question:
No RT depends on how you configured your detections: scheduled or RT, as I said if you can avoid RT, otherwise give more resources (CPUs to your Indexers and Search Heads)!
On Splunk Cloud RT searches are usually blocked for all not admin users!
Ciao.
Giuseppe
Now, i got your point, the confuse comes from the hint under the RT/scheduled mode
Yes, the terminology here can be somewhat confusing. Splunk uses the term "real-time" in two different contexts when it comes to searching.
One thing is a real time search. It is a search which is done not against already indexed data but on the incoming data as it is ingested by Splunk. This type of search allocates one cpu on a search head running the search for the whole time the search is running and one cpu on each participating indexer. The other type of a search is a historical search which runs on data returned by indexers from the buckets residing on disk - already indexed data.
Another thing is the realtime schedule mode. This means that a run of a scheduled search will be attempted at the scheduled time but if there are no free search slots, Splunk will delay it for some time (if configuration of the search allows it) but if it still cannot find free slot to run it the search run will get skipped. The other scheduling mode is continuous which means that Splunk will try to run the search for a given time slot indefinitely until it finally can do so (I suppose there are some technical limits to that but that's the general idea). The caveat is that continuously scheduled searches have lower priority within the scheduler.
Thank you!
Let me leave what i have got from the truly insighful discussion with you all below:
1. Schedule Mode (Continous or real-time) doesn't determine the type of the Scheduled Search(RTScheduled Search OR Historical Scheduled Search ), it just determine the behaviour at the status: unavailable search slots, and how the Scheduled Search will run weather it will be skipped or DEFERRED?
then historical scheduled Search can be operate at the Continuous mode ot the Real-time mode ?
A Real-time scheduled Search always uses Real-time scheduling by nature?
If am i correct - as per the above - kindly, give me example on the Real-time scheduled Search and historical scheduled Search (when can i say it's RT-scheduled Search or historical scheduled Search)?
Hi @0xAli ,
about the first assumption, it isn't correct:
Schedule Mode (Continous or real-time) determine the type of the Scheduled Search(RTScheduled Search OR Historical Scheduled Search)
historical scheduled Search can be operate at the Continuous mode ot the Real-time mode ?
historical scheduled Search are in Continuous Mode, not in RT Mode, what's the sense of a RT historical search?
A Real-time scheduled Search always uses Real-time scheduling by nature?
yes
Ciao.
Giuseppe