Splunk Enterprise and NUMA architectures
CPU architectures that feature the non-uniform memory access (NUMA) design are becoming increasingly popular, and many servers now offer them: multi-socket systems as well as single-socket, cluster-on-die CPUs. Software that is not optimized for NUMA can experience performance cliffs on machines with NUMA turned on, as the operating system migrates processes between different CPUs.
Splunk Enterprise is not optimized to run on machines with NUMA turned on. Splunk has observed CPU usage increases of the order of 50% when Splunk Enterprise runs on servers with 8 NUMA nodes, and eventual blockage of ingestion in periods of high search load, when the number of active processes on the server puts pressure on the operating system to migrate processes between CPUs more frequently.
Turn off NUMA on any machine on which you run Splunk Enterprise software. This restriction applies to universal forwarders as well as Splunk Enterprise when you configure it as a heavy forwarder. Check the documentation of your operating system for details on how to do so.
Linux kernel memory overcommitting and Splunk crashes | Field alias behavior change |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!