Monitoring Splunk

Is there any way to speed up searches?

tier2ops
Explorer

I have a search that is taking a few days to run.

Here is the search string:

sourcetype="bcoat_proxysg" | stats dc(c_ip) by date

I send the search to the background and can continue to work but I want to know if there is a way to speed up the this search. Thanks.

Other information:

Running Splunk 4.0.11

PowerEdge R710

Linux 2.6.18-92.el5 CentOS 5.2

load average: 1.39, 1.92, 4.95

MemTotal: 24675796 kB MemFree: 10980696 kB

Tags (2)
0 Karma

araitz
Splunk Employee
Splunk Employee
  • run your search in the "Advanced Charting" view rather than "Search" view
  • disable "Preview" checkbox
  • make sure you "Save" your search in the Jobs Manager
  • run "Search Profiler" to see where the bottlenecks are in your search

Stephen_Sorkin
Splunk Employee
Splunk Employee

These are all very good suggestions. In general, counting distinct counts are expensive as it requires storing every possible value of the field. What are the possible values for "date" here? Your search here will be faster if you run the search for every possible date value separately and then combine the results (perhaps by using a summary index).

0 Karma

bbingham
Builder

You could use a summary index for your IP and time fields. Populate the summary table at a set frequency, and then set your search to use the summary index as a source.

What are your goals in this search? Just a distinct IP for each day? min? second? Total hits?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...