All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splice searches running really slow

theouhuios
Motivator
‎04-10-2015 08:02 AM

Hello

We are running some splice searches to match on IOC's and they seem to be running very slow. We have a hybrid Splunk deployment with Indexers in Cloud and the Splice Search Head running ON Prem. Because of this we use |localop| in our searches so that Splice fetches all required components from the Search Head itself. Would this be a reason on why the searches run slow.

I am passing on an average about 400k events for a 10 min interval search if the search runs between 9 AM - 5PM. It takes about 20 min+ for splice to complete that search. Sometimes it just hangs up. Because of this its doesn't run on the schedule interval. Did anyone face the same issue?

The number of IOC's in Splice Mongo DB is about 115k now. We see the same slowness even when mongo db had only 40k records.

Has anyone faced this issue before. Any help would be appreciated.

Tags (1)
0 Karma
Reply

cleroux_splunk
Splunk Employee
Splunk Employee
‎04-13-2015 02:07 AM

SPLICE is a prototype and as any prototype, there are some limitations. One workaround would be to use the iocexportcsv command to create CSV lists of technical indicators that you would after refer via lookups or ES Threat List. And yes the command localop retrieve all the data the process it on the SH.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...