All..
I have inherited the task of learning about an older Splunk installation (4.1.5). It is working just fine, however, it has been starting to show some high-cpu usage and other indications that it is struggling. Given this box has not been touched or changed in a while, but the amount of data it has been tasked with indexing and the number of queries has not been static. I expect that the main reason for the issues being seen are related to the hardware and software being updated to match the load being put on it.
I am soliciting ideas on helping me find weak spots and areas of bad implementation since I did not design this thing, I want to look for weak spots.
So far, it has been all Splunk research:
- Found numerous lookups taking place, some with Python scripts, others using external lookup files.
- Found that the "queue" has been hitting the "max_size" of the queue frequently, but the machine memory is not being utilized fully.
Questions:
- If I have found that there are lookups defined, but files missing,
will this cause Splunk to slow down looking for these files or timing
out?
- Is there a way to find out if a lookup is being triggered or
being used?
- Is there a faster or more efficient method of "lookups" than external files or python scripts?
- Is there a way to increase the max_size of the queue to handle more items in the queue? Is this recommended?
Thanks!
↧