Archive

Upgraded to splunk 4.3, search is horribly slow, previous version (4.2) worked perfectly.

Hi, we've upgraded to splunk 4.3, search is horribly slow, previous version (4.2.4) worked perfectly.

We're indexing upto 1GB /day (Enterprise license) and running on Amazon EC2 m1.large (specs:
7.5 GB memory
4 EC2 Compute Units (2 virtual cores with 2 EC2 Compute Units each)
850 GB instance storage
64-bit platform
I/O Performance: High)

It takes a couple of minutes to perform a search that used to take seconds, what
can we do to fix it?

Thanks, Max

Tags (1)

SplunkTrust
SplunkTrust

One idea is to install the SoS app and take a look at the search performance tools it has in there. It'll give you a lot of information about the searches that are running slowly and you might see a clue as to what's going on.

0 Karma

Champion

Could you give more details such as the search string you are using? Also, have you looked in your splunkd.log for any errors or issues? I have seen some people experiencing bloom filter updates when the new install is in place on old indexes which can cause a bit of slow-down

0 Karma