Archive

Help debugging job inspector data

Communicator

When i run search:
index=my_summary sourcetype=stash ip=13.13.137.13 | head 5

Job inspector's "normalizedSearch" as well as "remoteSearch" shows this:

litsearch index=my_summary sourcetype=stash ( ( ( sourcetype=access_combined_wcookie ) AND ( ( clientip="13.13.137.13" ) ) ) OR ( ( sourcetype=mnxxx ) AND ( ( vxxxIP="13.13.137.13" ) ) ) OR ( ( sourcetype=ncxxx ) AND ( ( SUBJECT_IP="13.13.137.13" ) ) ) ) OR ( ip="13.13.137.13" ) | litsearch index=my_summary sourcetype=stash ip=13.13.137.13 | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | prehead limit=5 null=false keeplast=false

  1. Why litsearch looking for other sourcetypes I did not explicitly requested?
  2. Why litsearch query seemingly appears twice running similar query?
  3. How to judge the performance of query from job Inspector's data (besides using runDuration value)?
Tags (2)
0 Karma

Motivator

Um, maybe limiting search commands in one of the roles you have?

0 Karma