10 billion indexed events

garyramah · ‎05-27-2011

Anyone out there have 10 Billion indexed events?
I do and I think it's slowing down my Splunk.

gekoner · ‎05-31-2011

I'll concur with piebob and erga00. I also have over 10B events indexed without issue.
If you have a single server on older hardware with default network setting, you might be seeing issues during large searches.
Things that will be helpful in understanding why you might be seeing slowness;

number of Splunk servers:
If more than 1 server, what roles do they operate:
server OS:
server hardware (memory, CPU, NIC (speed and #)):
splunk version:
splunk LFCs or UFCs reporting to indexers:
index=* host=* earliest=-7d | table host | dedup host

number of searches run (Expensive searches):
Search > Search Activity > Search details

erga00 · ‎05-31-2011

Agree with piebob, you'll need to provide more details if you want any meaningful replies.

To answer your original query, we're up to 52 billion events without any trouble.

piebob · ‎05-27-2011

can you please provide more details? what exactly is happening? what are you trying to learn here?

10 billion indexed events

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio