topic Re: Improve Search Performance in Splunk Search

Improve Search Performance

mwdbhyat — Tue, 29 Sep 2020 10:18:33 GMT

Hi,

Ive constructed the below 5 searches to populate a dashboard, once they go onto our live systems they are going to be going through TB of data.. I need to make these searches as efficient as possible using using tstats, rest endpoints, summaries, scheduled reports and was wondering if anyone could point me in the direction of what to use and where in my searches or improve the syntax? (search noob) So far timechart is being used for all of them as they are in single value visual form with a trend arrow per month.

Total Number of Systems - 30 Days
index=test earliest=-2mon@mon | timechart span=1mon dc(host) as Hosts

Total Volume Indexed - 30 Days
index=_internal source=license_usage.log type=Usage pool= idx=test earliest=-2mon@mon | rename idx as Index | timechart span=1mon sum(b) as Bytes

Total Number of Events - 30 Days
index=test earliest=-2mon@mon| timechart span=1mon count

Total Number of Sourcetypes - 30 Days
index=test earliest=-2mon@mon| timechart span=1mon dc(sourcetype) as sourcetypes

Total Volume Per Day
index=_internal source=license_usage.log type=Usage pool= idx=test earliest=-2d@d | rename idx as Index | timechart span=1d sum(b) as Bytes

Thanks

Re: Improve Search Performance

somesoni2 — Tue, 26 Jul 2016 14:55:19 GMT

For every query, other than ones which are showing license_usage, you can use tstats. For license usage queries, I would sugggest to go for summary indexing/data model with accelaration.

Total Number of Systems - 30 Days

| tstats dc(host) as Hosts WHERE index=test earliest=-2mon@mon by _time span=1mon

Total Volume Indexed - 30 Days
Create a summary index with below search to run daily and then use the result of that summary index in your dashboard

index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes

Total Number of Events - 30 Days

| tstats count WHERE index=test earliest=-2mon@mon by _time span=1mon

Total Number of Sourcetypes - 30 Days

| tstats dc(sourcetype) as sourcetypes WHERE index=test earliest=-2mon@mon by _time span=1mon

Total Volume Per Day
Use the summary index created for "Total Volume Indexed - 30 Days"

Re: Improve Search Performance

mwdbhyat — Tue, 26 Jul 2016 16:07:18 GMT

Thanks for this!! Is there any way I can keep my trend indicator arrow? They are not showing anymore now that the search has changed..They are enabled etc.

Re: Improve Search Performance

mwdbhyat — Tue, 29 Sep 2020 10:24:25 GMT

Quick question - shouldnt, index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes have earliest and latest set to @mon rather than @day?