Observations and Recommendations On Splunk Performance

Download as pdf or txt
Download as pdf or txt
You are on page 1of 37

Copyright

 ©  2016  Splunk  Inc.  

Observa;ons  And  Recommenda;ons  On  


Splunk  Performance  
Dritan  Bi;ncka  
Principal  Architect,  Splunk  
Disclaimer  
During  the  course  of  this  presenta;on,  we  may  make  forward  looking  statements  regarding  future  
events  or  the  expected  performance  of  the  company.  We  cau;on  you  that  such  statements  reflect  our  
current  expecta;ons  and  es;mates  based  on  factors  currently  known  to  us  and  that  actual  events  or  
results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  
contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.  The  forward-­‐
looking  statements  made  in  the  this  presenta;on  are  being  made  as  of  the  ;me  and  date  of  its  live  
presenta;on.  If  reviewed  aRer  its  live  presenta;on,  this  presenta;on  may  not  contain  current  or  
accurate  informa;on.  We  do  not  assume  any  obliga;on  to  update  any  forward  looking  statements  we  
may  make.  In  addi;on,  any  informa;on  about  our  roadmap  outlines  our  general  product  direc;on  and  is  
subject  to  change  at  any  ;me  without  no;ce.  It  is  for  informa;onal  purposes  only  and  shall  not,  be  
incorporated  into  any  contract  or  other  commitment.  Splunk  undertakes  no  obliga;on  either  to  develop  
the  features  or  func;onality  described  or  to  include  any  such  feature  or  func;onality  in  a  future  release.  

2  
About  Me    
 
  Member  of  Splunk  Tech  Services  
  >5  Years  at  Splunk  
  Large  scale  and  Cloud  deployments  
  6th  .conf  
Agenda  
  Performance  &  BoZlenecks    
Understanding  fundamentals:  
–  Indexing:  
ê  Index-­‐;me  pipelines    
ê  Index  tes;ng  
–  Searching:    
ê  Searching  in  isola2on  &  under  indexing  load  
ê  Types  of  searches    
ê  Mixed  workload  impact  on  resources    

4  
Tes;ng  Disclaimers  
•  Tes;ng  on  arbitrary  datasets  in  a  “closed  
course”  (lab)  environment  
•  Do  not  take  out  of  context  

5  
Typical  “my  Splunk  is  not  performing  well”  conversa;on  

A:  My  Splunk  is  slow  


B:  Okay,  so  what  
exactly  is  slow?  
A:  I  dunno,  it  just  feels  
slow…maybe  I’ll  just  
get  some  SSDs    
6  
Splunk,  like  all  distributed  compu;ng  
systems,  has  various  boZlenecks  that  
manifest  themselves  differently    
depending  on  workloads  being  processed.    
-­‐  Winston  Churchill  

7  
Iden;fying  Performance  BoZlenecks  
  Understand  data  flows     data  
–  Splunk  opera;ons  pipelines  
Ingest                (Indexing)      
  Instrument  
–  Capture  metrics  for  relevant  opera;ons      
  Run  tests   Splunk  >  
  Draw  conclusions  
–  Chart  and  table  metrics,  looks  for  
emerging  paZerns     Consume                (Search)  

  Make  recommenda2ons    

8  
Put  That  In  Your  Pipeline  And  Process  It  

UTF-­‐8   Header  
Input   Line  Breaker   Output  
Converter   Extrac;on  

 
Pipeline    
Data  
 

Splunk  data  flows  thru  several  such  pipelines  before  it  gets  indexed    

9  
Lots  Of  Pipelines  

LINE_BREAKER   SHOULD_LINEMERGE   TRANSFORMS-­‐xxx  


TRUNCATE   BREAK_ONLY_BEFORE   SEDCMD  
MUST_BREAK_AFTER   ANNOTATE_PUNCT  
TIME_*  

10  
Index-­‐;me  Processing  

Event     LINE_BREAKER  <where  to  break  the  stream>  


Breaking  
SHOULD_LINEMERGE  <enable/disable  merging>  
MAX_TIMESTAMP_LOOKAHEAD  <#  chars  in  to  look  for  ts>  
Timestamp    
Extrac;on  
TIME_PREFIX  <pattern  before  ts>  
TIME_FORMAT  <strptime  format  string  to  extract  ts>  
Typing   ANNOTATE_PUNCT  <enable/disable  punct::  extraction>  
 

11  
Tes;ng:  Dataset  A  
  10M  syslog-­‐like  events:    
 .  .  .    
 08-­‐24-­‐2016  15:55:39.534  <syslog  message  >  
 08-­‐24-­‐2016  15:55:40.921  <syslog  message  >  
 08-­‐24-­‐2016  15:55:41.210  <syslog  message  >  
 .  .  .  

  Push  data  thru:    


–  Parsing  >  Merging  >  Typing  Pipelines    
ê  Skip  Indexing  
–  Tweak  various  props.conf  sejngs   MLA:  MAX_TIMESTAMP_LOOKAHEAD  =  24  

  Measure   LM:    SHOULD_LINEMERGE  =  false  


TF:    TIME_FORMAT  =  %m-­‐%d-­‐%Y  %H:%M:%S.%3N    
DC:    DATETIME_CONFIG  =  CURRENT        

12  
Index-­‐;me  Pipeline  Results    
Default   9.5  

MLA   8.6  

LM+TF   6.3  

LM+DC   5.8  

MLA:  MAX_TIMESTAMP_LOOKAHEAD  =  24  


0   1   2   3   4   5   6   7   8   9  
LM:    SHOULD_LINEMERGE  =  false   10  
2me  (s)   TF:    TIME_FORMAT  =  %m-­‐%d-­‐%Y  %H:%M:%S.%3N    
Time  (s)   DC:    DATETIME_CONFIG  =  CURRENT        

13  
•  All  pre-­‐indexing  pipelines  
are  expensive  at  default  
sejngs.    
‒  Price  of  flexibility    
•  If  you’re  looking  for  
Flexibility  

performance,  minimize  
generality    
 
•  LINE_BREAKER  
•  SHOULD_LINEMERGE  
•  MAX_TIMESTAMP_LOOKAHEAD  
Performance   •  TIME_PREFIX  
Time  (s)   •  TIME_FORMAT  

14  
Next:  Let’s  Index  A  Dataset  B  
  Generate  a  much  larger  dataset  (1TB)  
–  High  cardinality,  ~380  Bytes/event,  2.9B  events  
  Forward  to  indexer  as  fast  as  possible  
–  Indexer:  
ê  Linux  2.6.32  (CentOS);    
ê  2x12  Xeon  2.30  GHz  (HT  enabled)    
ê  8x300GB  15k  RPM  drives  in  RAID-­‐0  
–  No  other  load  on  the  box  
  Measure  

15  
Indexing:  CPU  And  IO  

16  
Indexing  Test  Findings  
  CPU  U;liza;on  
–  ~17.6%  In  this  case,  4-­‐5  Real  CPU  Cores  
  IO  U;liza;on    
–  Characterized  by  both  reads  and  writes  but  not  as  demanding  as  search.  
Note  the  splunk-­‐op8mize  process  
  Inges;on  Rate    
–  30MB/s  
–  “Speed  of  Light”  –  no  search  load  present  on  the  server  

17  
Index  Pipeline  Paralleliza;on  
  Splunk  6.3+  can  maintain  mul;ple  independent  pipelines  sets    
ê  i.e.  same  as  if  each  set  was  running  on  its  own  indexer    
  If  machine  is  under-­‐u;lized  (CPU  and  I/O),  you  can  configure  the  
indexer  to  run  2  such  sets  
  Achieve  roughly  double  the  indexing  throughput  capacity  
  Try  not  to  set  over  2  
  Be  mindful  of  associated  resource  consump;on    

18  
Indexing  Test  Conclusions  
  Distribute  as  much  as  you  can  –  Splunk  scales  horizontally  
–  Enable  more  pipelines  but  be  aware  of  compute  tradeoff    
  Tune  event  breaking  and  2mestamping  aZributes  in  props.conf  
whenever  possible  

  Faster  disk  (ex.  SSDs)  would  not  have  necessarily  improved  


indexing  throughput  by  much  
  Faster,  but  not  more,  CPUs  would  have  improved  indexing  
throughput  (mul;ple  pipelines  would  need  more  CPUs)  

19  
Next:  Searching  
  Real-­‐life  search  workloads  are  extremely  complex  and  very  varied  to  
be  profiled  correctly  
 
  But,  we  can  generate  arbitrary  workloads  covering  a  wide  spectrum  
of  resource  u;liza;on  and  profile  those  instead.  Actual  profile  will  
fall  somewhere  in  between    

IO                                    CPU  

20  
Search  Pipeline  (High  Level)  
Some  preparatory  
steps  here  

Repeat  un;l  search  completes  

For  each  bucket   Process  events:  st   Filter  events  to  


For  each  bucket  
Find  buckets   check  tsidx  for   rename,  extract,   match  the  search   Write  temporary  
read  journal.gz  at  
based  on  search   events  that  match   report,  kv,  alias,   string  (+   results  to  
offsets  supplied  
;merange   LISPY  and  find   eval,  lookup,   evenZyping   dispatch  directory  
by  previous  step  
rawdata  offset   subsecond     tagging)  

Return  progress  
to  SH  Splunk’d  

21  
Search  Pipeline  Boundedness    
Some  preparatory  
steps  here  

Repeat  un;l  search  completes  

For  each  bucket   Process  events:  st   Filter  events  to  


For  each  bucket  
Find  buckets   check  tsidx  for   rename,  extract,   match  the  search   Write  temporary  
read  journal.gz  at  
based  on  search   events  that  match   report,  kv,  alias,   string  (+   results  to  
offsets  supplied  
;merange   LISPY  and  find   eval,  lookup,   evenZyping   dispatch  directory  
by  previous  step  
rawdata  offset   subsecond     tagging)  

IO  
Return  progress  
to  SH  Splunk’d  

22  
Search  Pipeline  Boundedness    
Some  preparatory  
steps  here  

Repeat  un;l  search  completes  

For  each  bucket   Process  events:  st   Filter  events  to  


For  each  bucket  
Find  buckets   check  tsidx  for   rename,  extract,   match  the  search   Write  temporary  
read  journal.gz  at  
based  on  search   events  that  match   report,  kv,  alias,   string  (+   results  to  
offsets  supplied  
;merange   LISPY  and  find   eval,  lookup,   evenZyping   dispatch  directory  
by  previous  step  
rawdata  offset   subsecond     tagging)  

IO   CPU  +  Memory  
Return  progress  
to  SH  Splunk’d  

23  
Search  Types  
  Dense  
–  Characterized  predominantly  by  returning  many  events  per  bucket  
   index=web  |  stats  count  by  clientip  
  Sparse  
–  Characterized  predominantly  by  returning  some  events  per  bucket  
 index=web  some_term  |  stats  count  by  clientip  
  Rare  
–  Characterized  predominantly  by  returning  only  a  few  events  per  index  
 index=web  url=onedomain*  |  stats  count  by  clientip  
 

24  
Okay,  Let’s  Test  Some  Searches  
  Use  our  already  indexed  data    
–  It  contains  many  unique  terms  with  predictable  term  density  
  Search  under  several  term  densi;es  and  concurrencies      
–  Term  density:  1/100,  1/1M,  1/100M  
–  Search  Concurrency:  4  –  60  
–  Searches:    
ê  Rare:  over  all  1TB  dataset  
ê  Dense:  over  a  preselected  2me  range    
  Repeat  all  of  the  above  while  under  an  indexing  workload  
  Measure  

25  
Dense  Searches  
Hijng  100%  CPU  at  
CPU  U2liza2on  (%)   core#=concurrency  

IO  Wait  (%)    

26  
CPU  U2liza2on  (%)    
 Indexing  With  Dense  Searches  
Hijng  100%  earlier  

Indexing  Throughput  (KB/s)  

Indexing  Only  

Search  Dura2on  (s)  

27  
Dense  Searches  Summary  
  Dense  workloads  are  CPU  bound    
  Dense  workload  comple;on  ;mes  and  indexing  throughput  both  
nega;vely  affected  while  running  simultaneously    
  Faster  disk  wont  necessarily  help  as  much  here  
–  Majority  of  ;me  in  dense  searches  is  spent  in  CPU  decompressing  rawdata  +  
other  SPL  processing  
  Faster  and  more  CPUs  would  have  improved  overall  performance  

28  
CPU  U2liza2on  (%)   Rare  Searches  

Reads/s  (from  sar)  

IO  Wait  (%)  

29  
CPU  U2liza2on  (%)  
Indexing  With  Rare  Searches  

Reads/s  (from  sar)  

IO  Wait  (%)  

30  
Indexing  Throughput  (KB/s)  
More  Numbers    
Indexing  Only  

Search  Dura2on  (s)  

Search  Dura2on  (s)  

31  
Rare  Searches  Summary  
  Rare  workloads  (inves;ga;ve,  ad-­‐hoc)  are  IO  bound    
  Rare  workload  comple;on  ;mes  and  indexing  throughput  both  nega;vely  
affected  while  running  simultaneously    
  1/100M  searches  have  a  lesser  impact  on  IO  than  1/1M    
  When  indexing  is  on,  in  1/1M  case  search  dura;on  increases  substan;ally  more  
vs.  1/100M.  Search  and  indexing  are  both  conten;ng  for  IO    
  In  case  of  1/100M,  bloomfilters  help  improve  search  performance  
–  Bloomfilters  are  special  data  structures  that  indicate  with  100%  certainty  that  a  term  
does  not  exist  in  a  bucket  (indica8ng  to  the  search  process  to  skip  that  bucket)    
  Faster  disks  would  have  definitely  helped  here  
  More  CPUs  would  not  have  improved  performance  by  much  

32  
Is  My  Search  CPU  Or  IO  Bound?  

Guideline  in  absence  of  full  instrumenta;on    


command.search.rawdata  ~  CPU  Bound  
–  Others:  .kv,  .typer,  .calcfields,    
command.search.index  ~  IO  Bound  

33  
Top  Takeways/Re-­‐Cap  
•  Indexing     CPU  
–  Distribute  –  Splunk  scales  horizontally  
–  Tune  event  breaking  and  ;mestamp  extrac;on    
–  Faster  CPUs  will  help  with  indexing  performance   Term  
•  Searching   Density  
–  Distribute  –  Splunk  scales  horizontally    
–  Dense  Search  Workloads  
ê  CPU  Bound,  beZer  with  indexing  than  rare  workloads  
IO  
ê  Faster  and  more  CPUs  will  help  
–  Rare  Search  Workloads  
ê  IO  Bound,  not  that  great  with  indexing     Use  case     What  Helps?  
ê  Bloomfilters  help  significantly   Trending,  repor;ng   More  distribu;on    
ê  Faster  disks  will  help   over  long  term  etc.   Faster,  more  CPUs  
•  Performance  
–  Avoid  generality,  op;mize  for  expected  case  and  add   Ad-­‐hoc  analysis,   More  distribu;on  
hardware  whenever  you  can   inves;ga;ve  type     Faster  Disks,  SSDs  

34  
Tes;ng  Disclaimer  Reminder  

1.  Tes;ng  conducted  on  arbitrary  datasets  


2.  “closed  course”  (lab)  environment  
3.  Not  to  be  interpreted  out  of  context  

35  
Q  &  A   You  May  Also  Like  
Feedback:  [email protected]    
Search:  Under  the  Hood  
Worst  Prac;ces...  and  How  to  Fix  Them  
Splunk  Performance  Reloaded  
 
THANK  YOU  

You might also like