Apply parallel reduce processing to searches
If you have configured parallel reduce search processing for your deployment, you can use the redistribute command to apply it to your high-cardinality searches, so they can complete faster.
If this is your first time reading about this feature, see Overview of parallel reduce search processing for an overview of parallel reduce search processing and a list of prerequisites.
To configure your deployment to use this functionality, see Configure parallel reduce search processing.
Use the redistribute command
Use the redistribute command in a high-cardinality search to give that search the benefit of parallel reduce search processing. Only users with roles that have the run_multi_phased_searches capability can use redistribute.
The redistribute command supports only streaming commands and the following nonstreaming commands: stats, tstats, streamstats, eventstats, sichart, sitimechart, and transaction.
See redistribute in the Search Reference.
About the run_multi_phased_searches capability
The run_multi_phased_searches capability is not assigned to any role by default. As a best practice, we suggest that you create a specialized role for this capability and assign it only to users who can be trusted to run reasonable numbers of parallel reduce searches when overall indexer load is low.
See About defining roles with capabilities in Securing Splunk Enterprise.
Concurrent parallel reduce searches
By default, the number of concurrent parallel reduce searches that can run on an intermediate reducer is limited to the number of CPU cores in the reducer. This default is controlled by the maxPrdSearchesPerCpu setting in limits.conf.
If the number of concurrent parallel reduce search processes running on your intermediate reducers exceeds the number of cores in your reducers, you might lose the search performance gains that parallel reduce search processing is designed to deliver. If you cannot lower your average number of concurrent parallel reduce search processes, you can disable the useClientSSLCompression setting in server.conf on your search heads and intermediate reducers. This should restore the lost parallel reduce search performance.
Disabling useClientSSLCompression causes the bundle replication process to require additional network bandwidth. If you depend on efficient bundle replication do not disable this setting.
To disable or enable useClientSSLCompression, you must have access to the limits.conf file for your Splunk deployment, located in $SPLUNK_HOME/etc/system/local/. See About configuration files and the topics that follow it in the Admin Manual for more information about making configuration file updates.
| Configure parallel reduce search processing | About search head clustering |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14
Download manual
Feedback submitted, thanks!