Workload Management In Splunk
As a Splunk admin, it’s very important to manage the workload of your Splunk environment, to run the actual business in a swift way.
Workload management has newly added Splunk feature which enables you to allocate resource (compute and memory) to –
1.Ingesting Data 2. Generating report 3. Showing dashboards 4. Running searches concurrently based on your priorities.
Some workloads require more resources and have a higher priority than others. Failing to allocate resources efficiently and critical searches can make your environment slow. To meet your business objectives you must quickly and efficiently allocate Splunk resources to execute your business-critical workloads or searches with workload management.
Advantage of workload management:-
1. Avoid data ingestion lag due to search overload. 2. Prioritize business-critical searches by providing them a high-priority resource pool. 3. Isolate inefficient searches.
Configure Workload management:-
NOTE: In the case of configuring workload management Operating system must be Linux.It can’t be done on windows or other operating systems.
1. Splunk version 7.2.0 or higher 2. Linux OS required (centos 6,7 and 8 | RHEL 6,7 and 8 | Ubuntu 16.04 LTS and higher | SUSE 11 and 12) 3. Linux kernel version 2.6.25 or higher 4. Linux systemd version 219 or higher
Run this below command to check “systemd” version in your Linux server.
# systemctl --version
Set up system to configure workload management:
Log in to the back end of your splunk server.
Stop splunk service
# sudo /opt/splunk/bin/splunk stop
Disable boot start
# sudo /opt/splunk/bin/splunk disable boot-start
Enable boot start specifying -systemd-managed
# sudo /opt/splunk/bin/splunk enable boot-start -systemd-managed 1
This action will create a service known as Splunkd.service at /etc/systemd/system this path.
Start splunk service
# sudo /opt/splunk/bin/splunk start
Now log in to your splunk UI using your credentials.
Now click on Settings and Workload Management.
Now you will see it’s been configured successfully.
As you can see, resources have already been allocated by default. You can change those allocations as per your need by clicking on the edit button.
Use case of workload management:
Now we will create two “Workload Pool”, top_priority and medium_priority. Where within the top_priority we will assign more CPU and memory.
So lets create,
Click on Add Workload Pool
Pool Category: Search Name: <assign a name to your pool> CPU Weight: <assign CPU> Memory Limit: <assign memory>
And click on Submit.
In the same way, we will create another pool with fewer resources.
Now we will add Workload Rule, i.e. rule or framework which will be based on priority.
Suppose, all the admin running a search in index=network should have more priority than a user running a search.
So based on the given priority we will create rules.
Click on Add workload Rule.
Name: <give a meaning full name> Predicate(condition): <add the condition with index or role phase with logical operator> Schedule: <choose the schedule, when it should work> Workload Pool: <choose the pool, here we have given “top_prority” pool because this has more priority than anything.>
In the same way, we have created another pool, which has less priority.
Now you can see all of your roles based on Order (Priority).
Hope you have understood how to set up Workload Management in Splunk.