Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Best practices for search optimization for Splunk Cloud?

adukes_splunk
Splunk Employee
Splunk Employee
‎09-16-2019 08:18 AM

Does anyone have best practices to help optimize searches for Splunk Cloud?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adukes_splunk
Splunk Employee
Splunk Employee
‎09-16-2019 08:20 AM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Better. Stronger. Faster.

Splunk works fine out of the box. As you increase load on your system, though, you'll want to get familiar with ways to enhance its ability to handle that load. We’ll show you how to identify the cause of slow searches and review possible trouble spots in your deployment.

How search optimization helps you do more with less

Slow searches can be caused by inefficient search practices, but they can also be caused by poor data quality. You can find remarkable performance improvements when you resolve things like the incorrect event breaks and time stamp errors in the data. Inefficiencies like these can cause indexers to work overtime both when indexing data and finding the search results. If your searches run more efficiently, they also run faster and complete sooner. Which means the system can handle more of them in the same time!

Things to know

Use Splunk Cloud Monitoring Console (CMC) dashboards to determine if any searches have performance issues that need attention. The CMC enables you to monitor Splunk Cloud deployment health and to enable platform alerts. You can modify existing alerts or create new ones. You can interpret results in these dashboards to identify ways to optimize and troubleshoot your deployment.

  • Search Usage Statistics: This dashboards shows search activity across your deployment with detailed information broken down by instance.
  • Scheduler Activity: This dashboard shows Information about scheduled search jobs (reports) and you can configure the priority of scheduled reports.
  • Forwarders: Instance and Forwarders: Deployment: These dashboards show information about forwarder connections and status. Read about how to troubleshoot forwarder/receiver connection in Forwarding Data.

Things to do

Using the Splunk HTTP Event Collector (HEC)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adukes_splunk
Splunk Employee
Splunk Employee
‎09-16-2019 08:20 AM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Better. Stronger. Faster.

Splunk works fine out of the box. As you increase load on your system, though, you'll want to get familiar with ways to enhance its ability to handle that load. We’ll show you how to identify the cause of slow searches and review possible trouble spots in your deployment.

How search optimization helps you do more with less

Slow searches can be caused by inefficient search practices, but they can also be caused by poor data quality. You can find remarkable performance improvements when you resolve things like the incorrect event breaks and time stamp errors in the data. Inefficiencies like these can cause indexers to work overtime both when indexing data and finding the search results. If your searches run more efficiently, they also run faster and complete sooner. Which means the system can handle more of them in the same time!

Things to know

Use Splunk Cloud Monitoring Console (CMC) dashboards to determine if any searches have performance issues that need attention. The CMC enables you to monitor Splunk Cloud deployment health and to enable platform alerts. You can modify existing alerts or create new ones. You can interpret results in these dashboards to identify ways to optimize and troubleshoot your deployment.

  • Search Usage Statistics: This dashboards shows search activity across your deployment with detailed information broken down by instance.
  • Scheduler Activity: This dashboard shows Information about scheduled search jobs (reports) and you can configure the priority of scheduled reports.
  • Forwarders: Instance and Forwarders: Deployment: These dashboards show information about forwarder connections and status. Read about how to troubleshoot forwarder/receiver connection in Forwarding Data.

Things to do

Using the Splunk HTTP Event Collector (HEC)

0 Karma
Reply
Solved! Jump to solution

adukes_splunk
Splunk Employee
Splunk Employee
‎10-21-2019 10:27 AM

Added related video.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...