Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk performance issue

uagraw01
Motivator
‎03-19-2024 11:42 AM

Hello Splunkers!!

A generic question I want to ask. There are 40+ dashboards in which customer are using any optimization in any dashboards. They are using direct index search across all the panels. They are not using any base search and summary index in any of the dashboard panels. Sometime in one dashboard they are using 60+ panels with all index searches. Could any help me to provide all the consequences will happen in this scenerio?

 

Thanks in advance

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-19-2024 04:57 PM

Consequences...

  • Poor performance of your dashboard
  • Poor performance for other users
  • Excessive usage of an SVC licence if using SVC in Splunk Cloud - potentially causing additional licence costs to the organisation
  • Skipped searches
  • Your application will not be liked by others in your organisation
  • Alerts may not fire and as such you may miss critical security detections the could indicate hackers are attacking your system, or that critical infrastructure is having performance issues, resulting in an outage of your primary web site.

These are some, but not all of the consequences. All will depend on what you are using Splunk for, but I hope you get the picture.

I've seen one such dashboard such as yours with 60 panels all on auto refresh, all searching the same data independently and that one dashboard, out of 1000 others, was using a significant proportion of the compute cost across the search head cluster.

 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-19-2024 02:55 PM

The number of _defined_ dashboards doesn't matter much. In fact most Splunk installations have many dashboards which are never used and as such they cause no problem. On the other hand even one dashboard used in parallel by many users can hog resources causing performance isues.

In general, if you (try to) overbook your resources depending on your configuration you might end up with delayed/skipped searches (remember that ad-hoc searches have priority so if you have unlimited roles, you can cause scheduled searches to be delayed/skipped), searches terminated due to resource exhaustion or in some cases even causing Splunk process to be killed due to memory exhaustion. There are many things that can go wrong.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...