Splunk Search

Does increasing Search Factor increase search speeds?

cam343
Path Finder

In a scenario we will be using a Splunk cluster with 3 indexers.
The cluster will have a replication factor of 3.
If I configure the search factor to be 3 (instead of the default 2) will this increase my search / reports times because all 3 indexers can participate in the search instead of 2 them only participating? or do the searches not actually get split up like that?

Thanks,
Cam

cam343
Path Finder

Thank you I was just about to update and answer my own question.

To provide some references for people:
"A primary copy of a bucket is the searchable copy that participates in a search. A valid cluster has exactly one primary copy of each bucket. That way, one and only one copy of each bucket gets searched." [1]

and

"To ensure that exactly one copy of each bucket participates in a search, one searchable copy of each bucket in the cluster is designated as primary. Searches occur only across the set of primary copies" [2]

[1] http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Bucketsandclusters
[2] http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Basicclusterarchitecture

martin_mueller
SplunkTrust
SplunkTrust

Another thought - ideally there is no search performance left to gain. If your forwarders balance the data between all indexers you already are searching on all indexers with more or less equal shares, given a large enough set of data to crawl through.

0 Karma

yannK
Splunk Employee
Splunk Employee

no, you only search on a single copy of the bucket at a time.

Increasing the searchfactor will require more indexer to store the replicated copy of the buckets in a searchable state.
So the consequence will be that more cpu/disk space will be used to maintain them ready.
And the goal is to have more indexers to failover for search in case of close consecutive indexers outages.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...