We've been having severe Splunk performance issues on the following system:
Searches on everything (including _internal and other small indexes) are very slow... Machine resources (CPU, RAM, Disk) are all OK.
Performance was never great when Splunk was installed and started indexing data... but it got really bad as more data was being indexed (it's been just a few months)
As a method of eliminating the current Splunk configuration and indexes from the problem I'm thinking of a fresh new install of Splunk to see how it handles.
There is no problem with downtime or loosing data (it's monitoring log files from a network share) so, I thought about
My questions are with: - is there any "windows dependency" with registry or other problems I can expect ? - should I roll the hot buckets as indicated in other answers here ? - will all the configuration be kept (users, etc) ?
asked 11 Aug '10, 14:13
After a full re-install, the performance was back at the expected level. We kept a full backup of the Slunk installation but I hope never to need "post-mortem" analysis on that.. However, in the end, we never found out what the problem was in the first place :-(
answered 17 Aug '10, 15:33
There are no outside Windows dependencies other than the Windows Services (which are removed by the uninstall). There is no need to roll hot buckets if you copy them when Splunk is not running.
I don't really know why you'd have such performance problems, and I kind of doubt that this uninstall/reinstall will help. What will help a lot is if you identify for us what the disk you have Splunk on is. In particular, for both the
answered 11 Aug '10, 15:08