How saved searches affect Splunk performance
This topic discusses how the number of saved searches - searches that you save to use again at a later time - affect Splunk performance.
On a reference Splunk indexer, a saved search consumes about 1 CPU core and a specified amount of memory while it executes. It also increases the amount of disk I/O temporarily as the disk subsystem looks through the indexes to fetch the desired data.
Each additional saved search that executes at the same time consumes an additional CPU core. This consumption is separate from CPU usage from the operating system and Splunk indexing and storage processes.
If more saved searches execute than can be accepted for processing, they will queue. Splunk also warns you when the system reaches the maximum number of saved searches. When searches queue, search results return more slowly.
Adding indexers and search heads provides additional CPU cores to run more concurrent searches. Adding RAM to your existing machines helps with concurrent searches but does not give you additional search capacity.
How the number of concurrent users impacts Splunk performance
How search types impact Splunk performance
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18