topic Common Information Model (CIM) Performance Tuning in All Apps and Add-ons https://community.splunk.com/t5/All-Apps-and-Add-ons/Common-Information-Model-CIM-Performance-Tuning/m-p/597401#M76803 <P>Hello.&nbsp;<BR /><BR />Our organization has one of our Data Model (DM) searches for ES regularly running over 200 seconds to complete.&nbsp; Soon another source will be added to the DM, so I have been looking for ways to reduce the runtime.&nbsp;&nbsp;<BR /><BR />I came across a site that suggested the macros that build the CIM DM's could be faster by adding the sourcetype alongside the index in the search.&nbsp; My thought was, "Why stop there?"&nbsp; You could add the source too, as long as it doesn't iterate with a date or some random number scheme.&nbsp; And even then, with reasonable wildcarding at the end I believe there would be a performance improvement.<BR /><BR />I was told that this effort is unnecessary, even though in my unofficial tests over the same period, I found my modified searches to nearly twice as fast.&nbsp; So aside from the additional effort to build those searches and maintain them, why is this unnecessary?&nbsp;&nbsp;<BR /><BR />Thanks<BR />AJ</P> Wed, 11 May 2022 13:42:04 GMT kernand0 2022-05-11T13:42:04Z Common Information Model (CIM) Performance Tuning https://community.splunk.com/t5/All-Apps-and-Add-ons/Common-Information-Model-CIM-Performance-Tuning/m-p/597401#M76803 <P>Hello.&nbsp;<BR /><BR />Our organization has one of our Data Model (DM) searches for ES regularly running over 200 seconds to complete.&nbsp; Soon another source will be added to the DM, so I have been looking for ways to reduce the runtime.&nbsp;&nbsp;<BR /><BR />I came across a site that suggested the macros that build the CIM DM's could be faster by adding the sourcetype alongside the index in the search.&nbsp; My thought was, "Why stop there?"&nbsp; You could add the source too, as long as it doesn't iterate with a date or some random number scheme.&nbsp; And even then, with reasonable wildcarding at the end I believe there would be a performance improvement.<BR /><BR />I was told that this effort is unnecessary, even though in my unofficial tests over the same period, I found my modified searches to nearly twice as fast.&nbsp; So aside from the additional effort to build those searches and maintain them, why is this unnecessary?&nbsp;&nbsp;<BR /><BR />Thanks<BR />AJ</P> Wed, 11 May 2022 13:42:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Common-Information-Model-CIM-Performance-Tuning/m-p/597401#M76803 kernand0 2022-05-11T13:42:04Z