https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213436#M62610 <P>I searched for sourcetype=java "xyz" it just returns 202 events and scanned events are 12452, it takes 8 minutes for the search. why so much time it is taking?<BR /> My system configuration- Single instance machine with 4 core @3.3 GHz, 16 GB RAM and 64 bit OS.</P> Mon, 25 Apr 2016 06:32:30 GMT Bhagyashri 2016-04-25T06:32:30Z https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213436#M62610 <P>I searched for sourcetype=java "xyz" it just returns 202 events and scanned events are 12452, it takes 8 minutes for the search. why so much time it is taking?<BR /> My system configuration- Single instance machine with 4 core @3.3 GHz, 16 GB RAM and 64 bit OS.</P> Mon, 25 Apr 2016 06:32:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213436#M62610 Bhagyashri 2016-04-25T06:32:30Z https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213437#M62611 <P>What kind of data source is it? Sourcetype? Do you have extractions running? What does your search look like? Are you running other things on the machine? What does job inspector say?</P> Mon, 25 Apr 2016 07:54:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213437#M62611 esix_splunk 2016-04-25T07:54:06Z https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213438#M62612 <P>Actually it is text kind of file and i have given custom sourcetype as java. No it dont have extractions runing. Search running in smart mode. Nothing is running on machine. Not even monitoring of file, just doing search.<BR /> Job inspector shows:<BR /> Command. Search takes more time , in that command.search.filter 285 sec<BR /> Command.search.rawdata 200 sec<BR /> Dispatch.fetch 1072 sec<BR /> Dispatch.localsearch n dispatch.stream.local also taking more time<BR /> My search query is<BR /> Sourcetype=java "w(0×40D9)" | fields + source | fields - _raw, _time</P> Mon, 25 Apr 2016 08:34:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213438#M62612 Bhagyashri 2016-04-25T08:34:19Z https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213439#M62613 <P>Dispatch.fetch is taking a long time to run. So this is most likely related to slow disks. Search is disk intensive in most cases.</P> Mon, 25 Apr 2016 11:48:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213439#M62613 esix_splunk 2016-04-25T11:48:58Z https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213440#M62614 <P>But in splunk document they mentioned that search related to cpu.. 1 cpu per search..<BR /> What kid of disk should be used for search performance?</P> Mon, 25 Apr 2016 12:19:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213440#M62614 Bhagyashri 2016-04-25T12:19:18Z https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213441#M62615 <P>Here's some places to start reading to find out about Splunk and search performance. Reading indexed disk on data is I/o intensive and bound by that.. So having 7200rpm+ disks (SSD or 15krpm) is recommended. Dont do virtual disks and expect good performance.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Writebettersearches">http://docs.splunk.com/Documentation/Splunk/latest/Search/Writebettersearches</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements">http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements</A></P> Mon, 25 Apr 2016 13:28:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-search-Takes-more-time/m-p/213441#M62615 esix_splunk 2016-04-25T13:28:29Z