https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112854#M23641 <P>Hi pradeepchhetri,</P> <P>This is the kind of question, that is almost impossible for anyone to answer, except to you - because you know your setup, know your events, know your server's load and so on.....</P> <P>here are some basic troubleshooting things:</P> <UL> <LI>do both sourcetypes have exactly the same event count over the exact same time range?</LI> <LI>is your search head / indexer over loaded?</LI> <LI>are there any saved searches running?</LI> <LI>check the job inspector to get any idea why one search is running slower as the other.</LI> </UL> <P>you see, there is a lot to check for you.</P> <P>cheers, MuS</P> Fri, 20 Jun 2014 11:22:29 GMT MuS 2014-06-20T11:22:29Z https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112851#M23638 <P>Hi,</P> <P>We have a splunk machine running with all the events going to one index. I noticed that for two different sourcetype, I got different search performance. For one of the sourcetype, searching happened very quickly but it was very slow for the other. Can someone explain me why i am getting such a difference.</P> <P>Regards.</P> Fri, 20 Jun 2014 09:21:21 GMT https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112851#M23638 pradeepchhetri 2014-06-20T09:21:21Z https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112852#M23639 <P>Can you post your search query ?</P> Fri, 20 Jun 2014 09:43:17 GMT https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112852#M23639 splunker12er 2014-06-20T09:43:17Z https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112853#M23640 <P>my search query just includes: sourcetype="production" and sourcetype="staging"</P> Fri, 20 Jun 2014 09:59:16 GMT https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112853#M23640 pradeepchhetri 2014-06-20T09:59:16Z https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112854#M23641 <P>Hi pradeepchhetri,</P> <P>This is the kind of question, that is almost impossible for anyone to answer, except to you - because you know your setup, know your events, know your server's load and so on.....</P> <P>here are some basic troubleshooting things:</P> <UL> <LI>do both sourcetypes have exactly the same event count over the exact same time range?</LI> <LI>is your search head / indexer over loaded?</LI> <LI>are there any saved searches running?</LI> <LI>check the job inspector to get any idea why one search is running slower as the other.</LI> </UL> <P>you see, there is a lot to check for you.</P> <P>cheers, MuS</P> Fri, 20 Jun 2014 11:22:29 GMT https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112854#M23641 MuS 2014-06-20T11:22:29Z https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112855#M23642 <P>@Mus: Thank you for the reply. I will do the troubleshooting accordingly and let you know the outcome.</P> Fri, 20 Jun 2014 12:01:03 GMT https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112855#M23642 pradeepchhetri 2014-06-20T12:01:03Z https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112856#M23643 <P>I'm going to guess that <CODE>production</CODE> will have much more data than <CODE>staging</CODE>.</P> Fri, 20 Jun 2014 14:43:25 GMT https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112856#M23643 martin_mueller 2014-06-20T14:43:25Z https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112857#M23644 <P>@Mus: @martin_mueller: Just realized that the difference was due to fast-mode and smart-mode search types, although both has same number of events. Thank you for the help.</P> Mon, 23 Jun 2014 06:48:28 GMT https://community.splunk.com/t5/Getting-Data-In/Different-search-performance-for-two-sourcetype/m-p/112857#M23644 pradeepchhetri 2014-06-23T06:48:28Z