Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Workload Management overview

This documentation applies to workload management in Splunk Cloud Platform only. For documentation that applies to workload management in Splunk Enterprise, see the Workload Management manual in the Splunk Enterprise documentation.

Workload management is a rule-based framework that enables the allocation of compute resources (CPU and memory) to search, indexing, and other workloads in Splunk Cloud Platform. You can use workload management to ensure that high priority searches receive adequate resources, while lower priority searches are appropriately restricted.

Workload management lets you:

  • Isolate data-ingestion from the search workloads
  • Prioritize critical search workloads
  • Isolate resource-heavy searches to reduce impact on the overall system

Workload management is an administrative feature that requires you to hold the sc_admin role to see workload pools and rules. You must also have the following capabilities to configure workload management: list_workload_pools , list_workload_rules, edit_workload_rules and select_workload_pools.


How workload management works

Workload management lets you allocate CPU and memory resources to searches in logical containers called workload pools. You then define workload rules to place searches in different workload pools automatically. You can also define workload rules to monitor search runtime and perform automated remediation actions.

For example, you can create a workload rule that places searches from the security team in the high-priority workload pool, and create another rule to move those searches to the standard pool if the search runtime exceeds 2 minutes.

Workload management concepts

The following concepts and features are important to understand before using workload management:

Workload pools

A workload pool is a logical container that allows prioritization of workloads in the pool. Splunk Cloud Platform provides three pre-defined workload pools for searches. Each pool is allocated a percentage of CPU and memory resources:

  • Standard: All searches are assigned to this pool by default. You must use workload rules to place searches in other pools.
  • HighPriority: Compared to the Standard pool, this pool is assigned a larger share of system resources. Workloads assigned to this pool are assigned a higher priority compared to executing in the Standard pool when system resources are in contention. However, you might still need to modify the search for better performance. For information about search optimization, see Search Optimization in the Search manual.
  • LowPriority: Compared to the Standard pool, a relatively smaller share of system resources is assigned to this pool. Consequently, workloads assigned to this pool will execute with the lowest priority compared to the other two pools.

The following table shows the default allocation of Search resources among different pools. You cannot modify these values.

Search Category Pools (% of Search Resources):

Pool CPU Memory
Standard

35% 100%
HighPriority

60% 100%
LowPriority

5% 100%

Tips

  1. When migrating to this version of Splunk Cloud Platform, if you do nothing, there is no change in your search priority. All of your searches will run in the Standard pool.
  2. Selectively add workloads (by creating workload rules) to the HighPriority pool to ensure higher performance and speed for that workload in your priority pool. The HighPriority pool is intended to serve a few selected high priority searches. Assigning too many searches to the HighPriority pool will degrade the search performance.
  3. Using workload pools helps to ensure that your priority searches have high performance. This means that searches in your Standard and LowPriority pools may degrade somewhat by comparison. This is expected behavior, and you may need to monitor and adjust rules to ensure that you get the best performance for the searches that matter most.

Workload rules

A workload rule contains a user-defined condition based on a set of predicates. For example, role=security AND search_type=adhoc. When a search meets the user-defined condition, the rule is triggered and a specified action occurs. You can define workload rules to place searches in workload pools automatically, or create rules to monitor and perform remediation actions on long-running searches.

For more information on workload rules, see Create workload rules.

Admission rules

Admission rules filter out searches automatically before they start based on a user-defined predicate (condition).

You can use admission rules to prevent the execution of rogue searches that might consume a large amount of resources and interfere with critical search workloads. You can also use admission rules to limit which roles, apps, and so on, can run searches over specific time ranges, such as peak business days.

For more information on admission rules, see Create admission rules to prefilter searches.

Last modified on 12 August, 2021
PREVIOUS
Set limits for concurrent scheduled searches
  NEXT
Configure workload rules

This documentation applies to the following versions of Splunk Cloud Platform: 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters