Parallelism can be achieved through Splunk search queries by appending to the searchFilter;

`*| where floor(_time/60)-(N*floor(floor(_time/60)/N))=M*` where `N` is the number or parallel agents, and `M` is the agent identifier (ranging from 0 to N-1)

This is basically just combining a conversion of epoch to minutes [floor(_time/60)], and a modulo function [a-(n*floor(a/n) where 'a' is the input, and 'n' is the divisor]

For example, to run 2 Agents, you can have one Agent capture only even minutes with the following added to the searchFilters config:

`*| where floor(_time/60)-(2*floor(floor(_time/60)/2))=0*`

You'd also want to add the following to the other Agent, to capture the odd minutes.

`*| where floor(_time/60)-(2*floor(floor(_time/60)/2))=1*`

Note that each of these configurations will require a separate config group within Ambari so that you don't end up with the same machines running duplicate configurations.

## Comments