Spread our blog

Workload Management In Splunk

As a Splunk admin, it’s very important to manage the workload of your Splunk environment, to run the actual business in a swift way.
Workload management has newly added Splunk feature which enables you to allocate resource (compute and memory) to –

1.Ingesting Data
2. Generating report
3. Showing dashboards 
4. Running searches concurrently based on your priorities.

Some workloads require more resources and have a higher priority than others. Failing to allocate resources efficiently and critical searches can make your environment slow. To meet your business objectives you must quickly and efficiently allocate Splunk resources to execute your business-critical workloads or searches with workload management.

Advantage of workload management:-

1. Avoid data ingestion lag due to search overload.
2. Prioritize business-critical searches by providing them a high-priority resource pool.
3. Isolate inefficient searches.

Configure Workload management:-
NOTE: In the case of configuring workload management Operating system must be Linux.It can’t be done on windows or other operating systems.


1. Splunk version 7.2.0 or higher
2. Linux OS required (centos 6,7 and 8 | RHEL 6,7 and 8 | Ubuntu 16.04 LTS and higher | SUSE 11 and 12)
3. Linux kernel version 2.6.25 or higher
4. Linux systemd version 219 or higher

Run this below command to check “systemd” version in your Linux server.

# systemctl --version

Set up system to configure workload management:
Log in to the back end of your splunk server.
Stop splunk service

# sudo /opt/splunk/bin/splunk stop

Disable boot start

# sudo /opt/splunk/bin/splunk disable boot-start

Enable boot start specifying -systemd-managed

# sudo /opt/splunk/bin/splunk enable  boot-start -systemd-managed 1

This action will create a service known as Splunkd.service at /etc/systemd/system this path.

You can also know about :  Retrieving Data From Archive State

Start splunk service

# sudo /opt/splunk/bin/splunk start

Now log in to your splunk UI using your credentials.

Now click on Settings and Workload Management.

Now you will see it’s been configured successfully.

As you can see, resources have already been allocated by default. You can change those allocations as per your need by clicking on the edit button.

Use case of workload management:
Now we will create two “Workload Pool”, top_priority and medium_priority. Where within the top_priority  we will assign more CPU and memory.
So lets create,
Click on Add Workload Pool

Pool Category: Search
Name: <assign a name to your pool>
CPU Weight: <assign CPU>
Memory Limit: <assign memory>

And click on Submit.
In the same way, we will create another pool with fewer resources.

Now we will add Workload Rule, i.e. rule or framework which will be based on priority.
Suppose, all the admin running a search in index=network should have more priority than a user running a search.
So based on the given priority we will create rules.
Click on Add workload Rule.

Name: <give a meaning full name>
Predicate(condition): <add the condition with index or role phase with logical operator>
Schedule: <choose the schedule, when it should work>
Workload Pool: <choose the pool, here we have given “top_prority” pool because this has more priority than anything.>

In the same way, we have created another pool, which has less priority.

Now you can see all of your roles based on Order (Priority).

Hope you have understood how to set up Workload Management in Splunk.

You can also know about :  Maximum concurrent searches Splunk can run by default

Happy Splunking!!

What’s your Reaction?

Spread our blog


  1. What a great site. I really appreciate the work you invest in this site. A question Do you have any documentation on how to best use the Splunk Monitoring console to help an Splunk Admin ? Also any documentation on how to use the App Meta Woot! . Thank u in advance.


Please enter your comment!
Please enter your name here