Getting Data In

Performance Profiling

southeringtonp
Motivator

What's the best approach to start profiling a standalone server to determine either: a) the best way to improve performance on interactive searches; or b) whether it's time to start moving toward adding a dedicated search head and/or indexers?

I'm familiar with the docs at this URL, but looking for better steps to gauge when it's really time to move up vs. the need for specific tuning.

http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeploym...

DrewO
Splunk Employee
Splunk Employee

It's almost like asking when to buy a new car or change your hair style there are a lot of factors to consider. Performance can be improved in many ways. Learning to write the best searches and using the narrowest time frames will improve search performance without any hardware modifications. Minimizing or refining search time field extractions can also increase search performance. Increasing the firepower of your present server might also be an option.

As far as benchmarks go, they can be really subjective things like:
Do searches seem really slow? Are your users complaining?

Or they can be more measurable things like: Is it taking too long for data to get indexed? Are certain searches slow and others fast? Do you have a lot of concurrent users? What is your daily indexing rate? Are you planning on adding more users/data sources in the near future?

Adding a search head will not give too much of a performance boost since you are just moving SplunkWeb to a different machine. The way Splunk works splunkd does almost all of the heavy lifting. It indexes your data and it runs your searches, SplunkWeb just runs the user interface. Splitting up your indexing and searching across 2 indexers will give you the best performance increase since you are doubling both the indexing and searching power that way.

Check out one of our founder's blog entry on this topic: http://blogs.splunk.com/2009/10/27/add-a-server-or-two/

0 Karma

southeringtonp
Motivator

Thanks. I've seen the blog entry, though I'd forgotten it. As a clarification, I'm not so much looking for hard-and-fast rules or a "when x happens you need to upgrade". I'm more interested in objective metrics to support an informed decision on when and how to upgrade, as well as to identify when it's just a configuration issue or poorly written search. The bundled views go a little way towards that goal, but was wondering what else people were looking at, or if anyone had compiled a list of metrics or profiling searches.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...