Splunk® Enterprise

Capacity Planning Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

How concurrent users and searches impact performance

The largest performance factor in a Splunk Enterprise deployment are:

  • The number of concurrent users.
  • The number of concurrent searches.
  • The types of searches used.


A user that submits a search request will use one CPU core on each indexer until the search is complete. Any additional searches that the user submits also account for one CPU core. You can adjust the number of global concurrent searches that a machine can run. See Expected performance and known limitations of real-time searches and reports in the Splunk Enterprise Search manual.

The type of search a user invokes also impacts hardware resource usage. See How search types affect Splunk Enterprise performance.

How to maximize search performance

To accommodate the resource overhead of running many concurrent searches, add additional indexers, and maximize the physical memory available to the indexers. The indexers do the bulk of the work in search operations, such as identifying the data requested, reading the data from disk, decompressing it, filtering the data, and streaming the results.

For example, if a search uses 200MB of memory, and there are 48 concurrent search requests, that equates to about 10GB of memory to meet the search load not including the OS requirements. The amount of available memory is an important resource to monitor. While performance on an indexer declines gradually with increased CPU usage from concurrent search jobs, it drops dramatically when all available physical memory is exhausted.

Search performance: A basic scenario

The aggregate run time of all searches increases as the number of available CPU cores on the indexer decreases. For example, on an indexer with no load and 12 available cores, the first searches to arrive for processing can complete within a short period of time. For this scenario, all searches will run to completion within 10 seconds.

12 concurrent searches: One indexer with 12 cores and no data being indexed.

No. of concurrent searches / No. of avail. cores = No. of searches per core No. of sec. per individual search = Approx. time (sec.) to complete all searches
12 12 1 10 10

When there are 48 searches to run concurrently, the total time to complete all searches increases significantly.

48 concurrent searches: One indexer with 12 cores and no data being indexed.

No. of concurrent searches / No. of avail. cores = No. of searches per core No. of sec. per individual search = Approx. time (sec.) to complete all searches
48 12 4 10 40

Because the indexers do the bulk of the work in search operations, such as identifying the data requested, reading the data from disk, decompressing it, filtering some data, and streaming the results, it is best practice to add indexers to decrease the total amount of time to return all search results.

A deployment with more indexers provides an aggregate increase in cores to improve the search completion time when there are many concurrent searches. When there are more cores available than concurrent searches, the cores can be used by Splunk Enterprise to perform maintenance operations, or can remain idle.

12 concurrent searches: 4 indexers with 12 cores per indexer and no data being indexed.

No. of concurrent searches / No. of avail. cores = No. of searches per core No. of sec. per individual search = Approx. time (sec.) to complete all searches
12 48 1. By default, a search cannot take advantage of multiple cores. 10 10

48 concurrent searches: 4 indexers with 12 cores per indexer and no data being indexed.

No. of concurrent searches / No. of avail. cores = No. of searches per core No. of sec. per individual search = Approx. time (sec.) to complete all searches
48 48 1 10 10

Search performance: Indexing data scenario

In an active deployment, the system is not sitting idle while searches arrive. If an indexer ingests 150GB/day of data, then it will use up to 4 of the available cores for indexing processes. With fewer cores available, the time it takes to return all search results increases.

12 concurrent searches: One 12-core indexer, with 8 available cores.

No. of concurrent searches / No. of avail. cores = No. of searches per core No. of sec. per individual search = Approx. time (sec.) to complete all searches
12 8 2, as each core will remain in use until the prior search completes. 10 20

48 concurrent searches: One 12-core indexer, with 8 available cores.

No. of concurrent searches / No. of avail. cores = No. of searches per core No. of sec. per individual search = Approx. time (sec.) to complete all searches
48 8 6 10 60

48 concurrent searches: 4 12-core indexers with 8 available cores.

No. of concurrent searches / No. of avail. cores = No. of searches per core No. of sec. per individual search = Approx. time (sec.) to complete all searches
48 32 2, as each core will remain in use until the prior search completes. 10 20

Having fewer indexers with greater core counts per indexer can decrease the amount of total time for search, but also reduces scaling efficiency by providing less aggregate IOPS for search operations.

Adding indexers reduces the indexing load on any one machine. Additionally, you reduce the search time, lower the impact of high search concurrency, and lower the impact of resource contention for I/O and memory.

Last modified on 23 January, 2017
PREVIOUS
Distribute indexing and searching
  NEXT
Reference hardware

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters