https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112262#M29485 <P>Do you ever use the <CODE>fields</CODE> command to only retrieve the relevant fields ?</P> Thu, 13 Nov 2014 19:24:35 GMT aljohnson_splun 2014-11-13T19:24:35Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112261#M29484 <P>We have indexed access logs into index="mpsapp", When we do a stats search or filter any records for these data for a particular month, it's extremely slow (took more than 1.5 hours for first query). Can you please tell us how to optimize this query?</P> <P>Sample Splunk Queries :</P> <OL> <LI>index="mpsapp" | stats count by response_code (filtered time range only for October month, we have extracted the filed response_code in search node)</LI> <LI>source="<EM>mps</EM>" date_year=2014 date_month=october response_code!=200</LI> <LI>date_year=2014 date_month=november site="fandango-web" path="%2F"</LI> </OL> <P>Total Events for the month of October is : 355,925,951 events (10/1/14 12:00:00.000 AM to 11/1/14 12:00:00.000 AM)<BR /> Splunk Version : 6.1.4</P> <P>Is there any configuration level optimization required to speed-up the query response? Please share your suggestions.</P> Mon, 28 Sep 2020 18:07:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112261#M29484 dhavamanis 2020-09-28T18:07:49Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112262#M29485 <P>Do you ever use the <CODE>fields</CODE> command to only retrieve the relevant fields ?</P> Thu, 13 Nov 2014 19:24:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112262#M29485 aljohnson_splun 2014-11-13T19:24:35Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112263#M29486 <P>we haven't tried any fields command. Can you please give me some sample for fields command.</P> Thu, 13 Nov 2014 19:27:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112263#M29486 dhavamanis 2014-11-13T19:27:11Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112264#M29487 <P>Hi dhavamanis,</P> <P>try to use <CODE>index</CODE> and any of the <CODE>metadata</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Metadata">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Metadata</A> fields ( host, source or sourcetype) in your searches. Try to filter the fields as tight as possible in your base search or use <CODE>fields</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Fields#Examples">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Fields#Examples</A> as @aljohnson_splunk mentioned.</P> <P>Do not use <CODE>NOT</CODE> searches, rather search for events that you want and need.</P> <P>Also, take a look at this great Answer of @jrodman about <STRONG>How do optimizations for field-based searches work</STRONG> <A href="http://answers.splunk.com/answers/172275/how-do-optimizations-for-field-based-searches-work.html#answer-172230">http://answers.splunk.com/answers/172275/how-do-optimizations-for-field-based-searches-work.html#answer-172230</A></P> <P>hope this helps to understand the possibilities to speed up your searches...</P> <P>cheers, MuS</P> Thu, 13 Nov 2014 21:04:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112264#M29487 MuS 2014-11-13T21:04:02Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112265#M29488 <PRE><CODE> sourcetype=access_combined </CODE></PRE> <P>Job Inspector: This search has completed and has returned 1,000 results by scanning 177,830 events in 14.393 seconds.</P> <PRE><CODE>sourcetype=access_combined | fields clientip bytes action </CODE></PRE> <P>Job Inpector: This search has completed and has returned 1,000 results by scanning 177,835 events in 3.508 seconds.</P> <P>It's similar to using fast mode. Are you using fast mode? <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Changethesearchmode">Set search mode to adjust your search experience</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Installation/Summaryofperformancerecommendations">Performance recommendations</A> <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Installation/HowsearchtypesaffectSplunkperformance">How search types affect performance</A></P> Thu, 13 Nov 2014 21:08:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112265#M29488 aljohnson_splun 2014-11-13T21:08:04Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112266#M29489 <P>Thanks!. We have accelerated the report and added to Dashboard. Using the summary index and its fetching results very fast.</P> Wed, 10 Dec 2014 21:11:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112266#M29489 dhavamanis 2014-12-10T21:11:42Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112267#M29490 <P>We have done the following things after doing R &amp; D.</P> <P>1.Changed date range from real time to today.<BR /> 2.Set dashboard refresh time to every 5 minutes.<BR /> 3.Summary indexing<BR /> 4.Report acceleration <BR /> 5.Scheduled this search every 5 minutes so it will save in the cache.<BR /> 6.Search query optimization.<BR /> 7.Auto restart splunk daily at 2:00 AM UTC so that memory will be released.<BR /> 8.Set high priority to this dashboard.<BR /> 7.Set high priority to this scheduled search.<BR /> 8.Run stats tables first then start charts.<BR /> 9.Changed the delimer of raw data from text files method to new way which will reduce the time while converting raw data to fields of delimiting proccess.<BR /> 10.Reduce the number of indexes and source type</P> <P>After all this my dashboards loading time reduced from 3 minutes to less than 10 seconds.</P> <P>Super fast</P> Wed, 26 Apr 2017 10:16:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112267#M29490 puneethgowda 2017-04-26T10:16:11Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112268#M29491 <P>You can improve the performance by 10 X times by using Splunk meta data fields. I can help you in that please contact me in fiverr or Email (<A href="mailto:hurdlej1@gmail.com">hurdlej1@gmail.com</A>)</P> <P><A href="https://www.fiverr.com/s2/affc9b7a8a">https://www.fiverr.com/s2/affc9b7a8a</A><BR /> <A href="https://www.fiverr.com/s2/608e8ed73f?utm_source=CopyLink_Mobile">https://www.fiverr.com/s2/608e8ed73f?utm_source=CopyLink_Mobile</A></P> Sat, 31 Aug 2019 13:24:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-the-performance-of-our-Splunk-search-query/m-p/112268#M29491 preactivity 2019-08-31T13:24:48Z