Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does the union command affect CPU utilization?

kind7776
New Member
‎04-29-2018 11:24 PM

Hi,

[architecture]
One search header, several indexers, one LB forwarder

[Question]
* If one search statement is returned, the search starts from one indexer. (Using CPU 1 core)

  • When using the Union command in the search header, does the search run in one indexer? (Use CPU 1 core?)

  • If not, does one search statement run on multiple indexers? (Using multiple CPUs?)

  • The point is, when using the Union command, does one search statement run on multiple indexers?

Thanks.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-30-2018 03:08 AM

Do post your search to get a more detailed answer.

In general, the streaming portion of searches (e.g. index=foo | eval field = "bar") will run on all indexers in parallel.
The same holds true for union'd searches, e.g. | union [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"] - which is the first example from the union docs at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/union
Every indexer will run the searches in parallel, and return results to the search head.

For most cases, I'd recommend using OR instead of union: index=foo OR index=bar | ... because you also get parallel execution on all indexers for the streaming part but don't run into limits of the union command.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-10-2018 12:08 PM

If you have spare cores, consider enabling batch mode search parallelization: http://docs.splunk.com/Documentation/Splunk/7.1.0/Capacity/Parallelization#Batch_mode_search_paralle...

That will allow all batch mode eligible searches to search multiple non-hot buckets at once.

As for append vs union, I'd use neither in most cases - instead OR your data sets together in one big search.

0 Karma
Reply

kind7776
New Member
‎05-02-2018 06:31 PM

Sorry, I seem to have confused the question.
For example, using the append command, you can physically query one CPU core (one indexer)
If you have multiple indexers, I wonder if you use the union command to physically search the CPU cour using several indexers (multiple indexers).

  • I understand that append uses one cpu core, and union uses multiple cpu cores, so it is faster when using the union command.

I wonder if the above is true.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...