Skip to content

Performance reference for the Splunk Add-on for Windows

The following table provides the Search time performance metric for Windows TA version 9.0.0, where total ingested events were 6.4M.

Source type Search query Event count Search time in seconds
Perfmon:Process index=main sourcetype=Perfmon:Processor 100000 3.91
WMI:LocalProcesses index=main sourcetype=WMI:LocalProcesses 100000 2.9
WMI:LocalNetwork index=main sourcetype=WMI:LocalNetwork 100000 2.75
WMI:Service index=main sourcetype=WMI:Service 100000 7.83
MSAD:NT6:DNS index=main sourcetype=MSAD:NT6:DNS 100000 9.58
WMI:FreeDiskSpace index=main sourcetype=WMI:FreeDiskSpace 100000 2.61
PerfmonMk:ProcessorInformation index=main sourcetype=PerfmonMk:ProcessorInformation 100000 3.02
Script:ListeningPorts index=main sourcetype=Script:ListeningPorts 100000 2.56
WMI:LocalPhysicalDisk index=main sourcetype=WMI:LocalPhysicalDisk 100000 3.16
Script:NetworkConfiguration index=main sourcetype=Script:NetworkConfiguration 100000 2.52
WinEventLog index=main sourcetype=WinEventLog 100000 6.22
PerfmonMk:DFS_Replicated_Folders index=main sourcetype=PerfmonMk:DFS_Replicated_Folders 100000 5.28
MSAD:NT6:DNS-Health index=main sourcetype=MSAD:NT6:DNS-Health 100000 6.08
Perfmon:CPU index=main sourcetype=Perfmon:CPU 100000 3.01
XmlWinEventLog index=main sourcetype=XmlWinEventLog 100000 11.14
Perfmon:DFS_Replicated_Folders index=main sourcetype=Perfmon:DFS_Replicated_Folders 100000 2.54
PerfmonMk:System index=main sourcetype=PerfmonMk:System 100000 3.89
DhcpSrvLog index=main sourcetype=DhcpSrvLog 100000 5.38
WMI:ComputerSystem index=main sourcetype=WMI:ComputerSystem 100000 2.18
ActiveDirectory index=main sourcetype=ActiveDirectory 100000 13.27
PerfmonMk:PhysicalDisk index=main sourcetype=PerfmonMk:PhysicalDisk 100000 13.24
PerfmonMk:CPU index=main sourcetype=PerfmonMk:CPU 100000 3.09
PerfmonMk:LogicalDisk index=main sourcetype=PerfmonMk:LogicalDisk 100000 4.28
Script:TimesyncStatus index=main sourcetype=Script:TimesyncStatus 100000 9.25
WMI:InstalledUpdates index=main sourcetype=WMI:InstalledUpdates 100000 3.25
WMI:Uptime index=main sourcetype=WMI:Uptime 100000 2.74
WMI:Memory index=main sourcetype=WMI:Memory 100000 4.87
Perfmon:DNS index=main sourcetype=Perfmon:DNS 100000 2.72
Script:TimesyncConfiguration index=main sourcetype=Script:TimesyncConfiguration 100000 10.84
WindowsUpdateLog index=main sourcetype=WindowsUpdateLog 100000 3.69
Perfmon:Memory index=main sourcetype=Perfmon:Memory 100000 2.94
WMI:UserAccounts index=main sourcetype=WMI:UserAccounts 100000 4.82
Perfmon:System index=main sourcetype=Perfmon:System 100000 3.62
Perfmon:Network_Interface index=main sourcetype=Perfmon:Network_Interface 100000 2.6
PerfmonMk:Processor index=main sourcetype=PerfmonMk:Processor 100000 3.23
PerfmonMk:DNS index=main sourcetype=PerfmonMk:DNS 100000 6.22
WMI:Version index=main sourcetype=WMI:Version 100000 2.95
WinNetMon index=main sourcetype=WinNetMon 100000 2.97
WMI:WinEventLog:Application index=main sourcetype=WMI:WinEventLog:Application 100000 5.17
MSAD:NT6:Health index=main sourcetype=MSAD:NT6:Health 100000 3.11
WinRegistry index=main sourcetype=WinRegistry 100000 6.34
Perfmon:NTDS index=main sourcetype=Perfmon:NTDS 100000 3.13
MSAD:NT6:SiteInfo index=main sourcetype=MSAD:NT6:SiteInfo 100000 2.45
MSAD:NT6:DNS-Zone-Information index=main sourcetype=MSAD:NT6:DNS-Zone-Information 100000 4.85
Script:InstalledApps index=main sourcetype=Script:InstalledApps 100000 10.17
MSAD:NT6:Replication index=main sourcetype=MSAD:NT6:Replication 100000 2.29
WinHostMon index=main sourcetype=WinHostMon 100000 5.84
PerfmonMk:Network index=main sourcetype=PerfmonMk:Network 100000 3.87
MSAD:NT6:Netlogon index=main sourcetype=MSAD:NT6:Netlogon 100000 2.16
WMI:CPUTime index=main sourcetype=WMI:CPUTime 100000 3.88
WMI:ScheduledJobs index=main sourcetype=WMI:ScheduledJobs 100000 2.52
PerfmonMk:Memory index=main sourcetype=PerfmonMk:Memory 100000 4.46
Perfmon:Network index=main sourcetype=Perfmon:Network 100000 4.99
PerfmonMk:NTDS index=main sourcetype=PerfmonMk:NTDS 100000 14.08
Perfmon:PhysicalDisk index=main sourcetype=Perfmon:PhysicalDisk 100000 2.36
WMI:LogicalDisk index=main sourcetype=WMI:LogicalDisk 100000 4.54
win:bios index=main sourcetype=win:bios 100000 7.8
WMI:WinEventLog:Security index=main sourcetype=WMI:WinEventLog:Security 100000 17.16
Perfmon:LogicalDisk index=main sourcetype=Perfmon:LogicalDisk 100000 4.36
PerfmonMk:Process index=main sourcetype=PerfmonMk:Process 100000 4.36
Perfmon:ProcessorInformation index=main sourcetype=Perfmon:ProcessorInformation 100000 2.78
PerfmonMk:Network_Interface index=main sourcetype=PerfmonMk:Network_Interface 100000 4.97
WMI:WinEventLog:System index=main sourcetype=WMI:WinEventLog:System 100000 5
Perfmon:Processor index=main sourcetype=Perfmon:Processor 100000 2.45

The following table provides the average events per second (EPS) for the listed WinEventLog channels:

Log Name Number of Events Seconds (Classic) EPS (Classic) Seconds (XML) EPS (XML)
Application 50000 8.5 5882 9.75 5128
System 50000 9.5 5263 10.2 4901
Security 45377 13.33 3404 16 2836
Powershell 50000 7.33 6821 8 6250