Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mulitple searchable copies in splunk...

a212830
Champion
‎09-21-2014 06:11 AM

Hi,

Does having multiple searchable copies of your index make splunk searches go faster? I've heard different responses on this question.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-21-2014 06:24 AM

Short answer: It depends, but usually not.

Long answer: In a regular old cluster there's one primary copy of each bucket that's queried by searchheads. Other searchable copies may exist, but they're not used. Using them wouldn't speed up most searches either, because the other search peers are busy serving up data from other buckets they may be primary for.
However, in a multi-site cluster search affinity lets search heads use a searchable copy in their own site, indeed speeding up searches. That's not achieved by querying one bucket in multiple search peers though, but rather by choosing one copy from a nearby search peer instead of a distant - and therefore slower - one.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-21-2014 08:04 AM

Just to be clear, it never makes a single search run faster. But as martin_mueller says, it can increase capacity if you have a multi-site cluster, so the total amount of searching can go faster. It is possible that future optimizations and improvements to Splunk will allow increased capacity even without multi-site clustering, but that is not the case in the current (6.1) version.

0 Karma
Reply

a212830
Champion
‎09-21-2014 07:37 AM

Thanks. Interesting - definitely NOT what I'm being told by Splunk SE's...

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-21-2014 06:40 AM

I confirm, for now on splunk 6.0 and 6.1 even if you have multiple searchable bucket copies only one will be searched.
The reason for having search-factor>1 is to have the some buckets copies immediately ready when an indexer is lost. And not have to wait for the preparation to make one of the copies a searchable copy.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...