Splunk Cloud: Determining Search Head Resources - Hurricane Labs

Skip to content Check our latest suite of Cybersecurity Blogs and Resources! Join us at conf2025! Register here!

• Solutions
  • Managed SOC Services
  • Splunk Managed Services & Development
  • Splunk SOAR Services
  • CrowdStrike MDR/EDR Services
  • Penetration Testing
  • Consulting and Assessment Services
• Partners
  • Splunk
  • CrowdStrike
• Resources
  • Cyber Security Blog
  • Splunk Tutorials
  • Splunk Apps
  • Security Advisories
  • Expert Podcast
  • Newsletter
• Company
  • Our Story
  • Careers

Open main menu Book a Demo Talk to an Expert

• Solutions
  • Managed SOC Services
  • Splunk Managed Services & Development
  • Splunk SOAR Services
  • CrowdStrike MDR/EDR Services
  • Penetration Testing
  • Consulting and Assessment Services
  Managed SOC Services You gain 24/7/365 expert SOC management and guidance to maximize your SIEM use cases. Splunk Managed Services & Development The goal of our Splunk Managed Services is to keep Splunk running smoothly – from architecture planning to data ingestion, updates and maintenance of Splunk enterprise components, to custom development of searches, dashboards, and reports. Splunk SOAR Services We completely manage your playbook so you can reach new heights of SOAR efficiency. Harness the power of automation with an approach that meets all your security needs. CrowdStrike MDR/EDR Services Stay ahead of cyber threats with industry-leading managed endpoint detection and response. Partnering with Hurricane Labs to manage your CrowdStrike platform ensures that there is a unified approach for protection across endpoints, workloads, identities, and data. Penetration Testing Our penetration testing services provide the unique ability to identify weak spots in your network and applications. Utilizing simulated real-world attacks, we help you gain better understanding of potential vulnerabilities within your system and reinforce security measures for stronger protection. Consulting and Assessment Services As your business evolves, so should your security. From early-stage startups to established enterprises, we provide solutions that are adaptable, helping you manage risk and seize opportunities without fear of disruption.
• Partners Splunk Our expertise in Splunk and Splunk Enterprise Security has been recognized far and wide. We leverage our experience to empower organizations with even their most complex use cases. As expert managed cybersecurity service provides, we’re proud to be the leading Splunk-powered MSSP in North America Learn More CrowdStrike Hurricane Labs is an official CrowdStrike Partner. We work in tandem with CrowdStrike to ensure we are delivering solutions and expertise. Learn More
• Resources
  • Cyber Security Blog
  • Splunk Tutorials
  • Splunk Apps
  • Security Advisories
  • Expert Podcast
  • Newsletter
  Cyber Security Blog Arm yourself with the latest security insights and industry intelligence. Our write-ups have the essential knowledge to help you stay secure. Splunk Tutorials Welcome to Your Splunk Tutorials Hub Powered by Hurricane Labs. Our premium Splunk guides empower users of all skill levels to grow their knowledge, skills, and successes with Splunk. Splunk Apps The Splunk app resources that make your life easier. Hurricane Labs is here to help with your Splunk apps. In fact, we build the apps for you so you can focus on other tasks. Security Advisories Reference Hurricane Labs’ Security Advisories page to stay informed about important security breaches, threats, and vulnerabilities. Expert Podcast Hurricane Labs’ Infosec Podcast keeps you up-to-date on the latest infosec hacks and headlines, tips and tricks, tech reviews, and more. This podcast features witty banter and debates that poke and prod the latest trending topics in the security world. Newsletter The Hurricane Labs Newsletter will keep you informed on trending cybersecurity news, the latest Splunk tutorials, and other exclusive insights from our experts.
• Company
  • Our Story
  • Careers
• Search

Determining available resources on the Splunk Search HeadBy Tom Kopchak|Published On: June 13th, 2022|

Do you know how many CPUs and resources are available on your Splunk search head? If not, this tutorial will show you the way.

Let’s get started!

Validating resource availability on your on-prem Splunk Enterprise Splunk search head

When troubleshooting Splunk search performance, a common issue is validating that the correct resources are available. Fortunately, for on-premise Splunk Enterprise, this can be done easily through the Monitoring Console.

To do this, first navigate to: Settings -> Monitoring Console.

Need a Hand? Hurricane Labs is Here to Help?

Here, you will see the amount of memory and CPU cores in the upper left corner:

Figuring out the size of your Splunk search head on Splunk Cloud

This approach will work on any Splunk Enterprise host. Also, this is the case regardless of whether or not the Monitoring Console configuration is in a distributed manner on another host. Note that you just need to have administrator permissions to see this option.

However, on Splunk Cloud Platform, this information is not available. The Monitoring Console is unavailable–and its replacement is the Cloud Monitoring Console app–which doesn’t convey this information. Fortunately, there are some internal logs within Splunk that can help us figure out the sizing of our search head. We can then use that information to deduce the AWS instance size that Splunk Cloud is using for your stack. 

Begin by running this search:

Copy to Clipboardindex=_internal host="sh-*.splunkcloud.com" sourcetype=splunkd Detected "CPU cores" earliest=-30d@d

Note: this search relies on startup messages that occur when Splunk restarts. Your instance must have been restarted in the past 30 days in order for these logs to appear. 

In your search results, you will see loader events from splunkd.log. These will contain the following information:

In these events, we’ll see a few different search heads, with varying specifications. One host has 36 virtual CPUs, and the other has 72 virtual CPUs:

Copy to ClipboardDetected 36 (virtual) CPUs, 18 CPU cores, and 70236MB RAM Detected 72 (virtual) CPUs, 36 CPU cores, and 140756MB RAM

From here, we can reference the AWS instance types page to deduce what type of system matches those specifications. At the time of writing (May 2022), it appears that Splunk Cloud generally uses C5 instances for search heads in Splunk Cloud.

Looking at the C5 instance types page, we can see that there are two instances that match the CPU/memory combinations:

• c5.9xl = 36 vCPU and 72GB of RAM
• c5.18xl = 72 vCPU and 144GB of RAM

Since these match the startup messages in Splunk, it’s a pretty good assumption that our search heads in this deployment are c5.9xl and c5.18xl instances, respectively. 

Curious about other instances in your environment (such as indexers)? You can do the same type of search by simply changing the host entry from host="sh-*.splunkcloud.com" to something like host="idx-*.splunkcloud.com" instead. Note that these are typically i3 or i3en instances in most current Splunk Cloud stacks. Also, if you’re trying to identify the resources on any system sending data to Splunk, this approach works for universal forwarders too. 

Happy Splunking! 

Having a quick way to determine what CPU and memory resources are available on your Splunk search head can help you be better informed when troubleshooting potential issues in your environment.

Share with your network!

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.

Page load link This website uses cookies and Google Analytics to improve your experience. By clicking, you agree to our Terms and Privacy Policies. Accept Call Now Go to Top