Refine your search:

Performance Profiling

1

What's the best approach to start profiling a standalone server to determine either: a) the best way to improve performance on interactive searches; or b) whether it's time to start moving toward adding a dedicated search head and/or indexers?

I'm familiar with the docs at this URL, but looking for better steps to gauge when it's really time to move up vs. the need for specific tuning.

http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeployment

asked 02 Sep '10, 05:40

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215
accept rate: 35%

One Answer:
oldestnewestmost voted
0

It's almost like asking when to buy a new car or change your hair style there are a lot of factors to consider. Performance can be improved in many ways. Learning to write the best searches and using the narrowest time frames will improve search performance without any hardware modifications. Minimizing or refining search time field extractions can also increase search performance. Increasing the firepower of your present server might also be an option.

As far as benchmarks go, they can be really subjective things like:
Do searches seem really slow? Are your users complaining?

Or they can be more measurable things like: Is it taking too long for data to get indexed? Are certain searches slow and others fast? Do you have a lot of concurrent users? What is your daily indexing rate? Are you planning on adding more users/data sources in the near future?

Adding a search head will not give too much of a performance boost since you are just moving SplunkWeb to a different machine. The way Splunk works splunkd does almost all of the heavy lifting. It indexes your data and it runs your searches, SplunkWeb just runs the user interface. Splitting up your indexing and searching across 2 indexers will give you the best performance increase since you are doubling both the indexing and searching power that way.

Check out one of our founder's blog entry on this topic: http://blogs.splunk.com/2009/10/27/add-a-server-or-two/

link

answered 02 Sep '10, 07:07

DrewO's gravatar image

DrewO
1124
accept rate: 11%

Thanks. I've seen the blog entry, though I'd forgotten it. As a clarification, I'm not so much looking for hard-and-fast rules or a "when x happens you need to upgrade". I'm more interested in objective metrics to support an informed decision on when and how to upgrade, as well as to identify when it's just a configuration issue or poorly written search. The bundled views go a little way towards that goal, but was wondering what else people were looking at, or if anyone had compiled a list of metrics or profiling searches.

(04 Sep '10, 02:22) southeringtonp ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×148
×100
×60

Asked: 02 Sep '10, 05:40

Seen: 882 times

Last updated: 02 Apr '11, 09:22

Related questions

Horizontal or Vertical scaling for best search head performance

Search head pooling performance with NFS

Indexer performance hit, for searches with no results

Best Practices for Multi-User Search Performance

DISTRIBUTED SEARCH: performance -vs- highavailability

the Windows app -> Performance management -> performance summary does not show any results

Slow Search Performance on AIX

Distance between a Search Head and an Indexer

Do search-time fields have performance considerations?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.