Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure wait time on search heads and indexers?

DarshanBK
Explorer
‎06-11-2023 11:17 PM

For one splunk performance issue it was mentioned to us as below

"We have a wait time of 57ms on the Search Head and a wait time of 25ms on the indexer. A wait time of maximum 10ms is good for proper processing in Splunk. This could be the reason for the storage performance issue."

 

Could someone please let us know is there a parameter which denotes wait time on search head and indexers? If yes, please provide us some insight on what is that parameter and details about it.

0 Karma
Reply

a_kearney
Path Finder
‎11-10-2023 02:13 AM

We had a similar finding from Splunk with high I/O wait time on Search Heads. I have used the folllowing search to monitor

index=_introspection sourcetype=splunk_resource_usage component=IOStats
| eval avg_wait_ms = 'data.avg_total_ms' 
| search data.mount_point="/apps/splunk" 
| eval sla=10
| timechart limit=30 minspan=60s partial=f avg(data.avg_total_ms) as avg_wait_ms max(sla) AS sla by host

Use a trellis format (split by host) timechart to dispaly. The sla=10 field is to show the 10ms Splunk recommended limit.

I haven't been able to work out why we have high I/O on the Search Heads though, indexer cluster seems to perform OK. The Search Head Captain has notably higher I/O wait compared to others. There has also been issues with KV Store so wondering if that is related.

Note: I/O wait time is not a configuration that can be set. It is the result of the operations being carried out on the disk

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...