Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does one search uses one CPU core (indexer) by default or does it depend on indexes being searched

payl_chdhry
Path Finder
‎02-25-2021 10:22 PM

Hi,

I am trying to understand a bit on how searches impact CPU usage on indexers.

Does one search uses one CPU core by default or does it depend on indexes being searched

Sometimes I have seen high CPU usage when large index is being searched or when users have multiple indexes as default and they do not specify, so multiple indexes are searched.

Note: It is single query, no subqueries.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-26-2021 01:12 AM

Hi @payl_chdhry,

Splunk search core usage does not depends on the indexes search, always one core as default. It is normal high cpu usage on search over multiple indexes or large time-range because it is working more buckets.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-26-2021 01:12 AM

Hi @payl_chdhry,

Splunk search core usage does not depends on the indexes search, always one core as default. It is normal high cpu usage on search over multiple indexes or large time-range because it is working more buckets.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

payl_chdhry
Path Finder
‎02-26-2021 06:53 AM

Thanks @scelikok for your response.

Is there a way we might be able to determine (not necessary accurately) how many CPU cores a search might utilize on indexer (if we know approx bucket size).

We are facing performance issue and so I would like to understand and hopefully explain to users regarding their search depending on the indexes they search on.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎02-26-2021 11:20 PM

While it's not exact the introspection logs record cpu usage in alerts for splunk admins https://splunkbase.splunk.com/app/3796/ I have dashboards such as troubleshooting resource usage per user https://github.com/gjanders/SplunkAdmins/blob/master/default/data/ui/views/troubleshooting_resource_...

 

Which can find cpu information per search 

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...