Refine your search:

Looking for "high performance Splunk"

0

A client is looking for advice on tuning splunk for what they call "high performance" - defined as minimizing cpu, network transfer, disk IO.

I have been under the impression that the defaults are some of the best settings for general use, and I know the limits.conf maxKBps value will limit network traffic emitted from a forwarder.

Are there any other tunable settings you use to optimize CPU or disk use?

asked 05 Nov '10, 14:51

Jason's gravatar image

Jason
3.6k71073
accept rate: 43%

edited 15 Nov '10, 19:26

piebob's gravatar image

piebob ♦♦
4.5k41023

Are you talking about minimizing the forwarder footprint, or maximizing the Indexer performance?

(05 Nov '10, 19:47) rotten
One Answer:
oldestnewestmost voted
2

If you are talking about the indexer then I think you are mixing two ideas here.
The first one is being HIGH SPLUNK PERFORMANCE, that is, Splunk works fast, Splunk indexes fast, Splunk searches fast, Splunk does everything fast. If this is what you want, then you need Lots of CPU Power, Lots of RAM, FAST Disk IO and FAST network. And more importantly, you want all of the above because you want Splunk to USE all that power.

If you want splunk not to use PC resources, then do not index too much data, do not run heavy and dense searches, do not run realtime searches, do not allow more then one user at a time, do not do regex extractions while indexing etc..etc..

The idea here is, it really depends on the load you want to put on splunk. If you want Splunk to do heavy work, then you should be willing to allow it and enable it to do so with good hardware.

link

answered 05 Nov '10, 23:58

Genti's gravatar image

Genti ♦
3.8k5441
accept rate: 37%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×238
×60
×26

Asked: 05 Nov '10, 14:51

Seen: 1,396 times

Last updated: 25 Jan '11, 01:22

Related questions

Is this Sparc system a good choice for my splunk indexer? If not, what is?

Hardware capacity for indexing and searching

Optimizing Dashboards performances, looking for the better design

How do I get the most out of a 16 core server?

Limit CPU Access for splunk

Looking for search-head & indexer deployment advice

Slow Splunk - splunkd and auditd over 100% CPU - conflict?

Memory and CPU performance issues with field extractions

What is the best storage solution for optimal Splunk performance?

Copyright © 2005-2012 Splunk Inc. All rights reserved.