Workload Management overview
This documentation applies to workload management in Splunk Cloud Platform only. For documentation that applies to workload management in Splunk Enterprise, see the Workload Management manual in the Splunk Enterprise documentation.
Workload management is a rule-based framework that enables the allocation of compute resources (CPU and memory) to search, indexing, and other workloads in Splunk Cloud Platform. You can use workload management to ensure that high priority searches receive adequate resources, while lower priority searches are appropriately restricted.
Workload management lets you:
- Isolate data-ingestion from the search workloads
- Prioritize critical search workloads
- Isolate resource-heavy searches to reduce impact on the overall system
You must have the
sc_admin (Splunk Cloud Platform Administrator) role to see workload pools and workload rules in Splunk Cloud Platform.
You must also have the following capabilities to configure workload management:
How workload management works
Workload management lets you allocate CPU and memory resources to searches in logical containers called workload pools. You then define workload rules to place searches in different workload pools automatically. You can also define workload rules to monitor search runtime and perform automated remediation actions.
For example, you can create a workload rule that places searches from the security team in the high-priority workload pool, and create another rule to move those searches to the standard pool if the search runtime exceeds 2 minutes.
Workload management concepts
The following concepts and features are important to understand before using workload management:
A workload pool is a logical container that allows prioritization of workloads in the pool. Splunk Cloud Platform provides three pre-defined workload pools for searches. Each pool is allocated a percentage of CPU and memory resources:
- Standard: All searches are assigned to this pool by default. You must use workload rules to place searches in other pools.
- HighPriority: Compared to the Standard pool, this pool is assigned a larger share of system resources. Workloads assigned to this pool are assigned a higher priority compared to executing in the Standard pool when system resources are in contention. However, you might still need to modify the search for better performance. For information about search optimization, see Search Optimization in the Search manual.
- LowPriority: Compared to the Standard pool, a relatively smaller share of system resources is assigned to this pool. Consequently, workloads assigned to this pool will execute with the lowest priority compared to the other two pools.
The following table shows the default allocation of Search resources among different pools. You cannot modify these values.
Search Category Pools (% of Search Resources):
- When migrating to this version of Splunk Cloud Platform, if you do nothing, there is no change in your search priority. All of your searches will run in the Standard pool.
- Selectively add workloads (by creating workload rules) to the HighPriority pool to ensure higher performance and speed for that workload in your priority pool. The HighPriority pool is intended to serve a few selected high priority searches. Assigning too many searches to the HighPriority pool will degrade the search performance.
- Using workload pools helps to ensure that your priority searches have high performance. This means that searches in your Standard and LowPriority pools may degrade somewhat by comparison. This is expected behavior, and you may need to monitor and adjust rules to ensure that you get the best performance for the searches that matter most.
A workload rule contains a user-defined condition based on a set of predicates. For example, role=security AND search_type=adhoc. When a search meets the user-defined condition, the rule is triggered and a specified action occurs. You can define workload rules to place searches in workload pools automatically, or create rules to monitor and perform remediation actions on long-running searches.
For more information on workload rules, see Create workload rules.
Admission rules filter out searches automatically before they start based on a user-defined predicate (condition).
You can use admission rules to prevent the execution of rogue searches that might consume a large amount of resources and interfere with critical search workloads. You can also use admission rules to limit which roles, apps, and so on, can run searches over specific time ranges, such as peak business days.
For more information on admission rules, see Create admission rules to prefilter searches.
Set limits for concurrent scheduled searches
Configure workload rules
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2105, 8.2.2106, 8.2.2107, 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release), 8.2.2202, 8.2.2203