Apply parallel reduce processing to searches
If you have configured parallel reduce search processing for your deployment, you can use the
redistribute command to apply it to your high-cardinality searches, so they can complete faster.
If this is your first time reading about this feature, see Overview of parallel reduce search processing for an overview of parallel reduce search processing and a list of prerequisites.
To configure your deployment to use this functionality, see Configure parallel reduce search processing.
Use the redistribute command
redistribute command in a high-cardinality search to give that search the benefit of parallel reduce search processing. Only users with roles that have the
run_multi_phased_searches capability can use
redistribute command supports only streaming commands and the following nonstreaming commands:
See redistribute in the Search Reference.
About the run_multi_phased_searches capability
run_multi_phased_searches capability is not assigned to any role by default. As a best practice, we suggest that you create a specialized role for this capability and assign it only to users who can be trusted to run reasonable numbers of parallel reduce searches when overall indexer load is low.
See About defining roles with capabilities in Securing Splunk Enterprise.
Concurrent parallel reduce searches
By default, the number of concurrent parallel reduce searches that can run on an intermediate reducer is limited to the number of CPU cores in the reducer. This default is controlled by the
maxPrdSearchesPerCpu setting in
If the number of concurrent parallel reduce search processes running on your intermediate reducers exceeds the number of cores in your reducers, you might lose the search performance gains that parallel reduce search processing is designed to deliver. If you cannot lower your average number of concurrent parallel reduce search processes, you can disable the
useClientSSLCompression setting in
server.conf on your search heads and intermediate reducers. This should restore the lost parallel reduce search performance.
useClientSSLCompression causes the bundle replication process to require additional network bandwidth. If you depend on efficient bundle replication do not disable this setting.
To disable or enable
useClientSSLCompression, you must have access to the
limits.conf file for your Splunk deployment, located in
$SPLUNK_HOME/etc/system/local/. See About configuration files and the topics that follow it in the Admin Manual for more information about making configuration file updates.
Configure parallel reduce search processing
About search head clustering
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1