https://community.splunk.com/t5/Splunk-Search/Why-are-searches-using-certain-fieldnames-so-slow/m-p/391097#M113845 <P>In most cases, I don't notice a huge difference when I specify a fieldname or do a free text search, but for some fields it is literally 260 times slower.</P> <P>Are searches using fieldnames supposed to be slower than free text?<BR /> What is it about these particular fields that make it unbearably slow?</P> <P>For instance:<BR /> index=main myusername<BR /> This search has completed and has returned 1,774 results by scanning 1,774 events in 2.65 seconds</P> <P>index=main user=myusername<BR /> This search has completed and has returned 1,774 results by scanning 40,885,115 events in 689.411 seconds</P> Fri, 24 May 2019 20:37:40 GMT john_byun 2019-05-24T20:37:40Z https://community.splunk.com/t5/Splunk-Search/Why-are-searches-using-certain-fieldnames-so-slow/m-p/391097#M113845 <P>In most cases, I don't notice a huge difference when I specify a fieldname or do a free text search, but for some fields it is literally 260 times slower.</P> <P>Are searches using fieldnames supposed to be slower than free text?<BR /> What is it about these particular fields that make it unbearably slow?</P> <P>For instance:<BR /> index=main myusername<BR /> This search has completed and has returned 1,774 results by scanning 1,774 events in 2.65 seconds</P> <P>index=main user=myusername<BR /> This search has completed and has returned 1,774 results by scanning 40,885,115 events in 689.411 seconds</P> Fri, 24 May 2019 20:37:40 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-searches-using-certain-fieldnames-so-slow/m-p/391097#M113845 john_byun 2019-05-24T20:37:40Z https://community.splunk.com/t5/Splunk-Search/Why-are-searches-using-certain-fieldnames-so-slow/m-p/391098#M113846 <P>Good question<BR /> In Search <CODE>index=main myusername</CODE>, You are searching for string of "myusername" and it is blazingly fast in Splunk. </P> <P>But in search <CODE>index=main user=myusername</CODE> . you are searching for a key-value field. Splunk doesn't now if that's raw data, or evaluated field. So it has use the TA's , props/transforms/eventypes or enriched fields kinda.</P> <P>Some good tips which I do are<BR /> =&gt; If you are sure, that the keyword is present in raw data then do <CODE>index=main myusername user=myusername</CODE><BR /> =&gt; Use TERM if you know the key-value pair is present in the raw data<BR /> =&gt; if its an index field, you could use double colon (::) for <A href="https://answers.splunk.com/answers/356832/why-does-my-search-fail-when-searching-indexed-ext.html">key-value pair</A></P> Fri, 24 May 2019 20:56:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-searches-using-certain-fieldnames-so-slow/m-p/391098#M113846 koshyk 2019-05-24T20:56:01Z https://community.splunk.com/t5/Splunk-Search/Why-are-searches-using-certain-fieldnames-so-slow/m-p/391099#M113847 <P>Let me ask a slightly different question. In general, is it going to be faster using a string search compared to a field search?</P> Wed, 29 May 2019 22:13:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-searches-using-certain-fieldnames-so-slow/m-p/391099#M113847 john_byun 2019-05-29T22:13:24Z