Refine your search:

best tips for speeding up searches?

0

best tips for speeding up searches?

asked 10 May '11, 10:19

transamrit's gravatar image

transamrit
(suspended)
accept rate: 0%

edited 11 May '11, 08:55

3 Answers:
oldestnewestmost voted
3

One could write a Novel on this, but I'll focus on reporting type searches...

  • Use the Advanced Charting view - this typically speeds up most searches of this type
  • From a the "search" view: remove any unnecessary field extractions by: turning off field discovery; using the fields command so that it only returns the field you desire (eg - "my error | fields host").
  • For reports that need to analyze millions of events AND they are run consistently, use summary indexing
  • Create a dashboard that persists a saved search (see below)
  • For dashboards, create a saved search and force the dashboard to use the persisted result (useHistory parameter)
  • If you have multiple indexes, search the specific index you need to report on.
  • If your result set contains indexed fields, leverage them in your search (by default Splunk indexes host source and sourcetype)
  • Create a distributed search environment and leverage the map/reduce feature (add an indexer)
  • For extremely large summary search reports on systems where you have many cpus available for searching, schedule parallel searches on subsets of the data
  • If your search environment is distributed and you DON'T need to run it remotely, use the 'localop' command (e.g. - a local summary index search or geoip lookup)

-

link

answered 10 May '11, 11:08

Simeon's gravatar image

Simeon ♦
4.1k91034
accept rate: 26%

edited 17 May '11, 10:26

thanks! . .

(11 May '11, 08:54) transamrit
0

-Turn field discovery off if you haven't used any additional fields perhaps.... -select a smaller time range then "All Time" -Perhaps your search is too generic? Try narrowing the search down to more specific data that you are looking for....

Thinking of other ways......hmmm....

link

answered 10 May '11, 10:34

gnovak's gravatar image

gnovak
5362423
accept rate: 20%

0

It's going to sound obvious, but, "be as specific as you can be" in your search. I've got nearly 500,000,000 events in my Splunk at the moment and I definitely get the best results for speed when I use as many of the indexed fields as possible in my query. Host, source, sourcetype, time range (important one!), index name, and so on.

As others have pointed out, if you can disable field discovery, that will help a lot as well.

link

answered 10 May '11, 13:40

howyagoin's gravatar image

howyagoin
240210
accept rate: 55%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,651
×11
×9

Asked: 10 May '11, 10:19

Seen: 1,546 times

Last updated: 17 May '11, 10:26

Related questions

Best approach for speeding up Splunk Searches

speeding up splunk dashboard load time

Speeding up dispatch.createProviderQueue

Optimize search speed : where or search, xpath or spath ?

Logging for Splunk - Best Practices or Tips?

Speeding up XML searches

How to speed up download of search?

Determine query speed

Query optimization

Copyright © 2005-2012 Splunk Inc. All rights reserved.