Workload management examples
The following scenarios provide some guidance on how to use workload management in Splunk Enterprise. These scenarios are hypothetical examples only. The exact steps will depend on your specific objectives and requirements.
Scenario 1: Prioritize Security team searches
Use cases:
- Provide a high priority resource pool for all searches run by the security team.
- Put all index=* and all time range searches in low priority pool.
- Abort all real-time searches after 1m.
- Move all long-running searches (>5m) that are not from the security team or sc_admin into a low priority pool.
- Abort all long-running searches (>10m) that are not from the security team or sc_admin.
To do this, follow the steps below:
- From Splunk Web, go to Settings > Workload Management.
- Create the following workload rules by clicking Add Workload Rule.
The order of the rules is important. Rules are evaluated in order from top to bottom. If a search triggers a rule, corresponding action is taken and none of the rules below are evaluated. For example, if Rule #2 were ordered above Rule #1 in the table below, Rule #2 will be triggered after 5 minutes and the search will be moved to alternate pool. On next evaluation, again Rule #2 will be triggered. Rule #1 will never trigger and the search will not be aborted even after 10 minutes.
Order | Condition | Action |
---|---|---|
1 |
NOT (role=security OR role=sc_admin) AND
runtime>10m |
Abort |
2 |
NOT (role=security OR role=sc_admin) AND
runtime>5m
|
Move search to alternate pool: limited_perf
|
3 |
search_mode=realtime AND
runtime>1m
|
Abort |
4 |
index=* OR
search_time_range=alltime |
Place search in pool:
|
5 |
role=security | Place search in pool:
|
The rules are created and placed in a certain order to achieve the use cases. The rules are evaluated every few seconds and when a new search is started. If a search meets the specified condition of a rule, the corresponding action is taken, and rules below that are not evaluated.
Scenario 2: Create a high priority pool for scheduled searches
This scenario represents the following use case:
- Provide high priority pool for all scheduled searches from users in role=privileged but move these searches to the standard pool if they run for more than 2m.
- Move all adhoc searches running for more than 5m to low priority pool.
- Put all index=* and all time range searches in low priority pool.
- Abort all searches running for more than 15m except searches from the sc_admin.
To do this, follow the steps below:
- From Splunk Web, go to Settings > Workload Management.
- Create the following workload rules by clicking Add Workload Rule.
Order | Condition | Action |
---|---|---|
1 | NOT (role=sc_admin) AND
runtime>15m |
Abort |
2 | search_type=adhoc AND
runtime>5m |
Move search to alternate pool: limited_perf
|
3 | role=privileged AND
search_type=scheduled AND runtime>2m |
Move search to alternate pool: standard_perf
|
4 | index=* OR
search_time_range=alltime |
Place search in pool:
|
5 | role=privileged AND
search_type=scheduled |
Place search in pool:
|
Manually assign searches to workload pools | Monitor workload management using the monitoring console |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!