Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Speed up a duration search?

mark_chuman
Path Finder
‎11-21-2014 01:06 PM

Here is my search. I'm trying to get a report on the duration between an ESXi host sync task in vCenter logs. The search works ok in searches that are looking over say 15 minutes or so, but seriously slows down when going to 4 days and beyond. Any idea how to speed things up? Thanks!

index=distributed sourcetype=vcenter_* "task-internal" | rex "task-internal-(?\w+)" | transaction TASKID maxspan=-1 | timechart avg(duration)

Here are example log entries -

11/21/14
3:59:43.000 PM

2014-11-21T15:59:43.760-05:00 [01928 info 'commonvpxLro' opID=HB-host-52@132635-1b9acc5a] [VpxLRO] -- BEGIN task-internal-574059 -- host-52 -- VpxdInvtHostSyncHostLRO.Synchronize --
eventtype = nix-all-logs
11/21/14
3:59:43.000 PM

2014-11-21T15:59:43.758-05:00 [11912 info 'commonvpxLro' opID=HB-host-901@183888-5f049582] [VpxLRO] -- FINISH task-internal-574059 -- host-901 -- VpxdInvtHostSyncHostLRO.Synchronize --
eventtype = nix-all-logs

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-22-2014 06:40 AM

There are several steps towards speeding up this search:

  1. Remove unnecessary events from the search: index=distributed sourcetype=vcenter_* "task-internal" (BEGIN OR FINISH)
  2. Make the transaction more targeted: ... | transaction TASKID startswith="BEGIN" endswith="FINISH"
  3. As suggested in the comments, avoid running one huge transaction and either switch to stats or chunk up the work with summary indexing. Beware though of transactions that start in one chunk and finish in the other, you will need to write your search to cover that overlap smartly.

I'd test #1 and #2 together first, see if that speeds up the search well enough. If not, consider #3.

Additionally, do post the timing info at the top of the job inspector for us to look at what's taking up the most time.

0 Karma
Reply

mark_chuman
Path Finder
‎11-21-2014 01:50 PM

Aside from speeding things up is there a better way to chart the duration between say these two examples (between a BEGIN and FINISH log entry)?

0 Karma
Reply

somesoni2
Revered Legend
‎11-21-2014 02:01 PM

Is your task id unique everytime? If yes then your can use stats (first and last of _time ) to calculate duration and that would be way faster than transaction.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-21-2014 01:59 PM

Is this answer of any help? They use min & max.

Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-21-2014 01:31 PM

Have you checked out summary indexing? Your search would also be a lot faster if you can find a way to avoid using the transaction command, which is notoriously slow (e.g. using stats and a by clause)

Reply

mark_chuman
Path Finder
‎11-21-2014 01:48 PM

yes, the transaction command is the culprit on the slow down. I'll take a look at summary indexing

0 Karma
Reply

somesoni2
Revered Legend
‎11-21-2014 01:42 PM

Agree, also, saving your field extraction to props.conf would also speed up your search.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...