Some SplunkIt Results

We had the chance to run SplunkIt on some commodity hardware available in our lab and wanted to share the results.

SplunkIt provides a standalone average indexing throughput, which in our case was 21,600 KBPS. It also provides this throughput metric calculated in events per second, and we measured 73,409 EPS.

Other performance metrics we obtain from running SplunkIt are (1) the amount of time it takes to get the first response or first set of events, and (2) the amount of time it takes to completely process the search request. In this run, it took an average of 632 ms to get the first event, and 16,512 ms to return all events from the search.

Note that as the search test runs, we are indexing data incoming at a rate of 3 GB/hr. And there are a fair number of scheduled searches running as well. On the following chart where you see the search response times over the duration of the test, you can clearly see the regular pattern caused by the scheduled searches.

Of course, these numbers make sense only in the context of our hardware configuration. We used an HPDL380, which has two 6-core Xeon’s at 2.67GHz, 12GB RAM, and 15K RPM hard drives. This server was running Splunk 4.2.3 on Fedora 14 (64 bit).

The virtual search user was running on a VMware ESX 4.1 instance with a 1 Xeon core at 2.67GHz and 1GB RAM. Also on Fedora 14 (64 bit).

