Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Indexing: Performance

This topic is a reference for the Performance dashboards under the Indexing menu in the Monitoring Console.

For more information about troubleshooting indexing performance problems, see Identify and triage indexing performance problems in the Troubleshooting Manual.

Indexing Performance: Deployment

The Indexing Performance: Deployment dashboard provides an overview of indexing performance across your Splunk Enterprise deployment.

In the Overview of Indexing Performance panel, total indexing rate is summed over all indexers.

In the Instances by Estimated Indexing Rate panel, the indexing rate is estimated because it uses metrics.log, which takes only the top ten results for each type by default. See About metrics.log in the Troubleshooting Manual.

Indexing Performance: Instance

The Indexing Performance: Instance dashboard contains panels about indexing performance on a per-indexer basis. These panels can provide more detailed insight into problems that surface in the deployment-wide dashboard.

The Splunk Enterprise Data Pipeline panel exposes decaying averages for queue sizes. The averages use data over the previous 15 minutes. This panel, along with the historical panel Median Fill Ratio of Data Processing Queues, helps you narrow down sources of indexing latency to a specific queue. Data starts at parsing and travels through the data pipeline to indexing at the end.

Here is an example of the Splunk Enterprise Data Pipeline panel for an instance with unhealthy queues:

Cloggedpipeline.png

In this example, although the parsing and aggregator queues have very high fill ratios, the problem is likely to be with processes in the typing queue. The typing queue is the first one that slows down, and data is backing up into the other two queues while waiting to get into the typing queue.

Indexing Performance: Advanced

The primary purpose of the Indexing Performance: Advanced dashboard is to provide information about pipeline set performance. You can use the dashboard to gain insight into the activity of the pipeline sets and their component pipelines. See Manage pipeline sets for index parallelization in Managing Indexers and Clusters of Indexers.

This dashboard is primarily of use when troubleshooting performance issues in consultation with Splunk Support. Without expert-level knowledge of the underlying processes, it can be difficult to interpret the information sufficiently to determine performance issue remediation.

The dashboard also includes panels with information on a few other advanced performance metrics, such as CPU usage. One of these panels, the Aggregate CPU Seconds Spent per Indexer Processor Activity panel, lets you "Split index service by subtask." The several index services are subtasks related to preparing for and cleaning up after indexing. For more information about the subtask categories, see the metrics.log topic in the Troubleshooting Manual.

Troubleshoot these dashboards

The snapshot panels get data from Splunk REST endpoints for introspection. If snapshot panels lack data, check

  • the system requirements for platform instrumentation.
  • the pipelinesets setting in server.conf. When pipeline sets are used (that is, if pipelinesets is set to a value greater than 1), some panels of the Monitoring Console indexing performance dashboards will be blank.

The historical panels for these dashboards get data from metrics.log.

Last modified on 02 March, 2021
Access and customize health check   Indexing: Indexes and Volumes

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters