×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
dexterp
Explorer
Member since: ‎07-16-2015
‎02-04-2021
Community Statistics
Posts 4
Solutions 1
Karma Given 1
Karma Received 5
Member Since ‎07-16-2015
Activity Feed
View All

Re: How to calculate max and actual search concurr...

by in Monitoring Splunk
‎01-19-2021 05:59 AM
5 Karma
‎01-19-2021 05:59 AM
5 Karma
The Answer. The calculation for max concurrent searches is (max_searches_per_cpu * cpu_count + base_max_searches) * num_search_members where ... max_searches_per_cpu - is a setting in limits.conf -> search stanza cpu_count - is actual real cores not virtual cores base_max_searches - is a setting in limits.conf -> search stanza num_search_members - is the number search heads in the cluster The calculation for actual concurrent searches Data is in the _audit index The logic consists of find the start time of a search and increment the count +1 find the end time of a search and decrement the count -1 using streamstats one can achieve a running count the start time is found by using _time=exec_time the end time is found using _time=exec_time+total_run_time use makemv and mvexpand to generate the start and end times Example Timechart  max concurrent searches is overlayed search type is stacked Search Replace <search_heads> with your search head(s) index=_audit action=search host=<search_heads> NOT "search_id='rsa_scheduler" | fields - _raw | eval search_type=case(match(search_id,"scheduler_"),"Scheduled",match(search_id,"SummaryDirector"),"Summarize") | eval search_type=if(isnull(search_type),"Ad-Hoc",search_type) | eval end_time=exec_time + total_run_time | eval events=exec_time + " " + search_type + " 1:" + end_time + " " + search_type +" -1" | fields _time events | makemv delim=":" events | mvexpand events | rex field=events "(?<_time>\S+)\s+(?<type>\S+)\s+(?<incr>\S+)" | fields - events | sort 0 _time | streamstats current=f sum(incr) as concur by type | timechart span=30s first(concur) by type | eval "max search concurrency" = [     | rest /services/properties/limits/search/max_searches_per_cpu     | fields splunk_server value     | rename value as max_searches_per_cpu     | append [          | rest /services/properties/limits/search/base_max_searches          | fields splunk_server value          | rename value as base_max_searches     ]     | append [         | rest splunk_server=<search_heads> /services/server/status/resource-usage/hostwide         | eval cpu_count = if(isnull(cpu_count), "0", cpu_count)         | fields splunk_server cpu_count     ]     | stats values(max_searches_per_cpu) as max_searches_per_cpu values(base_max_searches) as base_max_searches values(cpu_count) as cpu_count by splunk_server     | eval instance_max_concurrent_searches = (max_searches_per_cpu * cpu_count + base_max_searches)     | stats sum(instance_max_concurrent_searches) as max     | return $max ] Please Upvote if you fine helpful ... View more

Re: What does pset and ruse mean in splunkd.logs

by in Getting Data In
‎12-29-2020 04:16 PM
‎12-29-2020 04:16 PM
I thought it might be pipeline set, I just wanted to confirm it with Splunk.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-04-2021 09:49 AM
Karma from
Karma given to
View All