Splunk® Enterprise

Workload Management

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Workload management examples

The following scenarios provide some guidance on how to use workload management in Splunk Enterprise. These scenarios are hypothetical examples only. The exact steps will depend on your specific objectives and requirements.

Scenario 1: Prioritize Security team searches

Use cases:

  • Provide a high priority resource pool for all searches run by the security team.
  • Put all index=* and all time range searches in low priority pool.
  • Abort all real-time searches after 1m.
  • Move all long-running searches (>5m) that are not from the security team or sc_admin into a low priority pool.
  • Abort all long-running searches (>10m) that are not from the security team or sc_admin.

To do this, follow the steps below:

  1. From Splunk Web, go to Settings > Workload Management.
  2. Create the following workload rules by clicking Add Workload Rule.

The order of the rules is important. Rules are evaluated in order from top to bottom. If a search triggers a rule, corresponding action is taken and none of the rules below are evaluated. For example, if Rule #2 were ordered above Rule #1 in the table below, Rule #2 will be triggered after 5 minutes and the search will be moved to alternate pool. On next evaluation, again Rule #2 will be triggered. Rule #1 will never trigger and the search will not be aborted even after 10 minutes.

Order Condition Action
1
NOT (role=security OR role=sc_admin) AND

runtime>10m

Abort
2
NOT (role=security OR role=sc_admin) AND

runtime>5m

Move search to alternate pool: limited_perf
3
search_mode=realtime AND

runtime>1m

Abort
4
index=* OR

search_time_range=alltime

Place search in pool:

limited_perf

5
role=security Place search in pool:

high_perf

The rules are created and placed in a certain order to achieve the use cases. The rules are evaluated every few seconds and when a new search is started. If a search meets the specified condition of a rule, the corresponding action is taken, and rules below that are not evaluated.

Scenario 2: Create a high priority pool for scheduled searches

This scenario represents the following use case:

  • Provide high priority pool for all scheduled searches from users in role=privileged but move these searches to the standard pool if they run for more than 2m.
  • Move all adhoc searches running for more than 5m to low priority pool.
  • Put all index=* and all time range searches in low priority pool.
  • Abort all searches running for more than 15m except searches from the sc_admin.

To do this, follow the steps below:

  1. From Splunk Web, go to Settings > Workload Management.
  2. Create the following workload rules by clicking Add Workload Rule.
Order Condition Action
1 NOT (role=sc_admin) AND

runtime>15m

Abort
2 search_type=adhoc AND

runtime>5m

Move search to alternate pool: limited_perf
3 role=privileged AND

search_type=scheduled AND runtime>2m

Move search to alternate pool: standard_perf
4 index=* OR

search_time_range=alltime

Place search in pool:

limited_perf

5 role=privileged AND

search_type=scheduled

Place search in pool:

high_perf

Last modified on 12 October, 2020
Manually assign searches to workload pools   Monitor workload management using the monitoring console

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters