How concurrent users and searches impact performance
The largest performance factor in a Splunk Enterprise deployment are:
- The number of concurrent users.
- The number of concurrent searches.
- The types of searches used.
A user that submits a search request will use one CPU core on each indexer until the search is complete. Any additional searches that the user submits also account for one CPU core. You can adjust the number of global concurrent searches that a machine can run. See Expected performance and known limitations of real-time searches and reports in the Splunk Enterprise Search manual.
The type of search a user invokes also impacts hardware resource usage. See How search types affect Splunk Enterprise performance.
How to maximize search performance
To accommodate the resource overhead of running many concurrent searches, add additional indexers, and maximize the physical memory available to the indexers. The indexers do the bulk of the work in search operations, such as identifying the data requested, reading the data from disk, decompressing it, filtering the data, and streaming the results.
For example, if a search uses 200MB of memory, and there are 48 concurrent search requests, that equates to about 10GB of memory to meet the search load not including the OS requirements. The amount of available memory is an important resource to monitor. While performance on an indexer declines gradually with increased CPU usage from concurrent search jobs, it drops dramatically when all available physical memory is exhausted.
Search performance: A basic scenario
The aggregate run time of all searches increases as the number of available CPU cores on the indexer decreases. For example, on an indexer with no load and 12 available cores, the first searches to arrive for processing can complete within a short period of time. For this scenario, all searches will run to completion within 10 seconds.
12 concurrent searches: One indexer with 12 cores and no data being indexed.
No. of concurrent searches | / No. of avail. cores | = No. of searches per core | No. of sec. per individual search | = Approx. time (sec.) to complete all searches |
---|---|---|---|---|
12 | 12 | 1 | 10 | 10 |
When there are 48 searches to run concurrently, the total time to complete all searches increases significantly.
48 concurrent searches: One indexer with 12 cores and no data being indexed.
No. of concurrent searches | / No. of avail. cores | = No. of searches per core | No. of sec. per individual search | = Approx. time (sec.) to complete all searches |
---|---|---|---|---|
48 | 12 | 4 | 10 | 40 |
Because the indexers do the bulk of the work in search operations, such as identifying the data requested, reading the data from disk, decompressing it, filtering some data, and streaming the results, it is best practice to add indexers to decrease the total amount of time to return all search results.
A deployment with more indexers provides an aggregate increase in cores to improve the search completion time when there are many concurrent searches. When there are more cores available than concurrent searches, the cores can be used by Splunk Enterprise to perform maintenance operations, or can remain idle.
12 concurrent searches: 4 indexers with 12 cores per indexer and no data being indexed.
No. of concurrent searches | / No. of avail. cores | = No. of searches per core | No. of sec. per individual search | = Approx. time (sec.) to complete all searches |
---|---|---|---|---|
12 | 48 | 1. By default, a search cannot take advantage of multiple cores. | 10 | 10 |
48 concurrent searches: 4 indexers with 12 cores per indexer and no data being indexed.
No. of concurrent searches | / No. of avail. cores | = No. of searches per core | No. of sec. per individual search | = Approx. time (sec.) to complete all searches |
---|---|---|---|---|
48 | 48 | 1 | 10 | 10 |
Search performance: Indexing data scenario
In an active deployment, the system is not sitting idle while searches arrive. If an indexer ingests 150GB/day of data, then it will use up to 4 of the available cores for indexing processes. With fewer cores available, the time it takes to return all search results increases.
12 concurrent searches: One 12-core indexer, with 8 available cores.
No. of concurrent searches | / No. of avail. cores | = No. of searches per core | No. of sec. per individual search | = Approx. time (sec.) to complete all searches |
---|---|---|---|---|
12 | 8 | 2, as each core will remain in use until the prior search completes. | 10 | 20 |
48 concurrent searches: One 12-core indexer, with 8 available cores.
No. of concurrent searches | / No. of avail. cores | = No. of searches per core | No. of sec. per individual search | = Approx. time (sec.) to complete all searches |
---|---|---|---|---|
48 | 8 | 6 | 10 | 60 |
48 concurrent searches: 4 12-core indexers with 8 available cores.
No. of concurrent searches | / No. of avail. cores | = No. of searches per core | No. of sec. per individual search | = Approx. time (sec.) to complete all searches |
---|---|---|---|---|
48 | 32 | 2, as each core will remain in use until the prior search completes. | 10 | 20 |
Having fewer indexers with greater core counts per indexer can decrease the amount of total time for search, but also reduces scaling efficiency by providing less aggregate IOPS for search operations.
Adding indexers reduces the indexing load on any one machine. Additionally, you reduce the search time, lower the impact of high search concurrency, and lower the impact of resource contention for I/O and memory.
Distribute indexing and searching | Reference hardware |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!