Splunk SDK Search is slow

TheMilkMan · ‎11-29-2019

The Splunk query using Splunk SDK using C# returns results much slower than the front end.

Query

index=TEST "<TEST LogTime" earliest="11/1/2019:0:0:0" latest="11/30/2019:23:59:59" | where (in(Field1, "TestValue1","TestValue2","TestValue3")) | fields TestField1 TestField2 TestField3 | rename TestField1 as TestField1a, TestField2 As TestField2b, TestField3 As TestField3a

using (var service = new Service(Scheme.Https, _config.Uri, _config.Port))
                {

                    await service.LogOnAsync(_config.Username, _config.Password);

                    using (var searchResultStream = await service.SearchOneShotAsync(query))
                    {

                        var config = new MapperConfiguration(cfg => { });
                        var mapper = config.CreateMapper();
                        foreach (var result in searchResultStream)
                        {
                            results.Add(mapper.Map<T>(result));
                        }
                    }
                }

wmyersas · ‎11-29-2019

What is your search?

How are you connecting with the SDK?

TheMilkMan · ‎11-29-2019

index=TEST "

TheMilkMan · ‎11-29-2019

index=TEST "<TEST LogTime" earliest="11/1/2019:0:0:0" latest="11/30/2019:23:59:59" | where (in(Field1, "TestValue1","TestValue2","TestValue3")) | fields TestField1 TestField2 TestField3 | rename TestField1 as TestField1a, TestField2 As TestField2b, TestField3 As TestField3a

using (var service = new Service(Scheme.Https, _config.Uri, _config.Port))
                {

                    await service.LogOnAsync(_config.Username, _config.Password);

                    using (var searchResultStream = await service.SearchOneShotAsync(query))
                    {

                        var config = new MapperConfiguration(cfg => { });
                        var mapper = config.CreateMapper();
                        foreach (var result in searchResultStream)
                        {
                            results.Add(mapper.Map<T>(result));
                        }
                    }
                }

Splunk SDK Search is slow

SDK

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!