Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search Performance Problem

michael_bates_1
Path Finder
‎08-22-2012 04:50 PM

I have a simple search that is not performing well over a large dataset.


System:

Sun/Oracle x4540

Processors: 12 cpu instances in total.

Six-Core AMD Opteron(tm) Processor 2435 CPU 1
Six-Core AMD Opteron(tm) Processor 2435 CPU 2

Memory: 32G

Index in question: 2 millon records per minute (550 GB per day)

Problem:

A simple search on this data, say over a 1 minute period takes in excess of 10 minutes to cmplete.
From this it is evident that, even using summary indexing will not work as I would end up with 10 concurrent searches just for the summary population.

Investigation:

zfs iostat shows periods when the disks are not being accessed when the search is running.

mpstat shows a single cpu instance running at user=100%, no io-wait at all.

prstat show splunkd only using 25% of usr cpu, with no iowait.

From this I conclude that there is no io bottleneck, so what is causing this search to run extremely slow to the point where I cannot even populate a summary index.

Any assistance/direction in where to look for the bottleneck and possible fixes would be greatfully received.

Regards,
Michael

Tags (3)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-22-2012 09:06 PM

It would be helpful to know what the search looks like, what the data looks like, and perhaps what the storage on which the index(es) are stored are and how it's configured.

In particular, it would be important to know the "density" of the search, and the easiest way is to see the search and understand how much of the data the search terms are expected to occur in.

If your search is dense (retrieving a large percentage of the index) then what you're seeing is going to be expected. The only way to deal with this (other than summarization) is to run multiple instances of Splunk. Splunk isn't designed for maximum search performance on a single server, but rather to be pretty fast on that and to then scale horizontally over many nodes.

I would also expect that if you're indexing at a rate of 550GB/day, you should see 2 or 3 cores running at 100% for indexing alone. You may be seeing this, but didn't mention it.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...