My deployment is: 1 forwarder + 2 indexers + 1 search head.
The forwarder has forwarded 50GB(about 100,000,000 events) to the two indexers;
When I launch a search like "sourcetype=xxx" from search head, I find the search performance really quite disappointing. Only 10,000 events can be scanned per second! That's to say, it will take about 3 hours to finish scaning all the events!
Each of my indexers has 24 cpus. And each time I launch a search from search head, only one cpu in each indexer is running about 100% while others keep free. It seems that one search job only works on one thread. That's quite a waste of my indexer' computing ability!
Are there any ways to config splunk to solve this problem?
... View more