Splunk Sizing and Performance: Doing More with More

If you’ve browsed the Splunk docs in the last several years or talked to anyone at Splunk about performance in larger Splunk deployments, you’ve probably seen this number that we use for estimating how many servers one might need to achieve a given daily indexing volume.  Referencing here, here, and here.  Say I want to do 1TB/day of Splunk indexing.  That’s going to be about 10 indexing servers and a couple of search heads.   Our general guidance was that given a commodity server, historically an 8-core 8GB+ machine with relatively fast disk, that once you reached 100GB of indexing volume per day you should start to look at adding more indexers to service the workload.  This …

» Continue reading

License Usage Reporting Gets Some “LURV” in Splunk 6

Since Splunk is licensed by indexing volume per day, it’s probably good to know what your volume of indexed data per day is, right? Are you using a little bit of your license? Are you using most of your license? Are you blowing out your Splunk license regularly and hopefully love the product and need to get more? In the past, there have been several ways to get better visibility into your license consumption. There are license usage dashboards in S.o.S, Deployment Monitor, and a License Usage App on the Splunk apps page. If you were savvy with the Splunk search language, and didn’t mind getting your hands dirty, perhaps you even tried to craft your own using …

» Continue reading

Dropping Useless Headers in Splunk 6

Part 2 of our series on new ways to handle file headers in Splunk 6. The examples that we looked at last time with IIS logs actually had useful information in the file header. We picked up the field names and did index-time association with the data saving you an extra step after consuming the data with Splunk. Plus, index time means speed. But if you spend enough time with log files and ingesting data with Splunk, you’ve probably come across some formats having headers that don’t really tell you very much. They could have some startup information spanning several lines before you actually see any log data where the interesting stuff begins. Not to trash talk Websphere, but this …

» Continue reading

IIS Logs and Splunk 6

Needless to say, we delivered a feature packed release in Splunk 6 a few weeks ago. With all the buzz around Data Model and Pivot, you might have missed a few of the other cool things we’ve been working on back in the bit factory.

Historically, if you were going to Splunk anything with a file header, like a CSV or IIS log, we attempted to take the file header, read in the field names, and create a props and transforms for you in the learned app using DELIMS. While this worked ok for local file ingestion on a Splunk server for CSV, CHECK_FOR_HEADER would get confused with multi-line headers like those found in IIS. For example:

#Software: Microsoft 
» Continue reading

Quantifying the Benefits of Splunk with SSDs

We’ve had the question posed to us several times over the years:  “What impact would the addition of an SSD have to my Splunk environment?”  Referencing Splunk Answers:


Raitz is dead-on in his reply.  As data flows into a Splunk indexer, we are write-I/O heavy.  Sequential write performance on SSD vs SAS is pretty similar so no real benefit for Splunk on an SSD here.  These benchmarks illustrate this.



(These are RAID controller benchmarks but they still demonstrate the point)

Since a Splunk indexing server pulls dual duty and responds to search requests as well as performs indexing, what is the impact of an SSD on search performance?  Splunk searches can be categorized in two …

» Continue reading

Buckeye State Blogging – SplunkLive Columbus

I had the opportunity to attend our SplunkLive event in Columbus the other day.  Before I even mention the event, let me go on record as saying that the Blue Ribbon Pot Roast at the Tip Top Kitchen is probably the best darn pot roast I’ve ever had.  Hopefully my mother doesn’t read this. Let’s talk SplunkLive.  For those of you who have never been to a SplunkLive, it’s an event we hold regularly in cities all over the world for Splunk customers, partners, and those interested in learning a bit more about what’s going on at Splunk to interact.  Having been in the tech industry for awhile, I’ve been to many vendor events where you get to hear one …

» Continue reading