Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best approach for speeding up Splunk Searches

Dark_Ichigo
Builder
‎05-02-2012 07:11 PM

Searches with the "Transaction" command for example can be really slow, What would be the best approach for speeding up searches in Splunk in terms of Hardware and Search Optimization.

Note: Please do not advise that I use Sub-searches in any way, I have given up on using them long ago!

Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-03-2012 01:32 PM

As Kristian demonstrated, sometimes the best way to make transaction operations faster is not to use transaction at all. If your transaction is simple enough, you can express it using stats with a by clause. This is much much faster.

If your transaction is too complex to manage with stats, then you should go out of your way to minimize the number of events dealt with. For example, if you're looking for 3 or 4 events out of 20 that make up a transaction, search only on those 3 or 4, like:

sourcetype=foo  ( event 1 stuff ) OR ( event 2 stuff ) OR ( event 3 stuff ) | transaction

Also, limit the size/scope of your transactions by using startswith / endswith so that transaction can "complete" them as soon as possible.

Reply

kristian_kolb
Ultra Champion
‎05-03-2012 12:55 AM

In general, try to limit the time span first. And be as specific as possible before the first pipe. The more you can limit the search before the first pipe, the better.

The following searches for unique visits (not visitors) and bytecount should result in a table like:

clientip      visits     sum(bytes) 
10.11.12.13     42         89231
11.12.13.14     32         12212
12.13.14.15     11         12341

BAD:

sourcetype=access_combined | transaction JSESSIONID | search host=www1.company.com | stats count AS visits sum(bytes) by clientip

BETTER:

sourcetype=access_combined host=www1.company.com | transaction JSESSIONID | stats count AS visits sum(bytes) by clientip

BEST:

sourcetype=access_combined host=www1.company.com | stats distinct_count(JSESSIONID) AS visits sum(bytes) by clientip

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...