Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field search very slow compared to free text

altink
Builder
‎10-16-2020 06:38 AM

Dear Support

I make two searches – for the same time-period, ex last 7 days, and on the same data (index):

 

 

1. index=db_oracle sourcetype="oracle:audit:text" (OMEGACA OR OMEGA_CORE_AUDIT)

2. index=db_oracle sourcetype="oracle:audit:text" (ACTION=*OMEGACA* OR ACTION=*OMEGA_CORE_AUDIT*)

 

 

The idea is to look for SYSDBA actions on application objects.


Search 1 – a wide-search – completes very quickly in a reasonable time (few seconds)

Job Inspect:

This search has completed and has returned 28 results by scanning 85 events in 1.438 seconds


Search 2 – a field-search – has a big delay and it is very slow.

Job Inspect:

This search has completed and has returned 28 results by scanning 1,264,230 events in 156.1 seconds

 

Problem:

I was expecting the Search 2 to be faster (or at least equal) compared to Search 1.

I can see that the second search scans 1,264,230 events while Search 1 only 85

Why do I have such a big performance slowness in my second Search?

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

hc_joycechen
Explorer
‎10-21-2020 12:54 AM

index=db_oracle sourcetype="oracle:audit:text" (OMEGACA OR OMEGA_CORE_AUDIT)

| where like(ACTION, "%OMEGACA%") OR  like(ACTION, "%OMEGA_CORE_AUDIT%") 

View solution in original post

Reply
Solved! Jump to solution
Solution

hc_joycechen
Explorer
‎10-21-2020 12:54 AM

index=db_oracle sourcetype="oracle:audit:text" (OMEGACA OR OMEGA_CORE_AUDIT)

| where like(ACTION, "%OMEGACA%") OR  like(ACTION, "%OMEGA_CORE_AUDIT%") 

Reply
Solved! Jump to solution

altink
Builder
‎10-26-2020 06:44 AM

Hi @hc_joycechen 

and thanks for the reply. this works blaze fast and precise, but it has a problem.

It requires a repetition of information in the sense that I have two declare twice each string I wish to search for.
This is prone to error, and as a matter of general principles - duplication should not exist.

Is it a workaround for this?

best regards

Altin

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎10-26-2020 07:14 PM

@altink 

You can just remove the first and leave the criteria in the where clause. Does that give acceptable performance?

0 Karma
Reply
Solved! Jump to solution

hc_joycechen
Explorer
‎10-26-2020 05:55 PM

I don't quite understand your question.

Can you give sample information?

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎10-27-2020 06:22 AM

The sole issue is that the searched strings ("OMEGACA" and "OMEGA_CORE_AUDIT") have to be declared twice in the statement

Is there a syntax that would do the same with a single declaration?

best regards

Altin

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2020 07:46 AM

The leading wildcards in search 2 are killing performance.  To find matches, Splunk has to read every event that has an ACTION field to determine if it contains one of the matching substrings.

In search 1, Splunk can use metadata to avoid reading events that don't contain one of the target strings.

A key difference between the two searches is #1 may find events where the target string is not in the ACTION field.

If the two return the same results (not just the same count) then use #1.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

altink
Builder
‎10-19-2020 05:46 AM

Thank You @richgalloway 

But what I am searching for (strings OMEGA and OMEGA_CORE_AUDIT) - are inside the ACTION field and in no other. In the first search it seems Splunk performs implicitely a wildcard search - cause the two strings above are part of wider strings.
I do not need to search in any other field other the ACTION. Furthermore, if casually, the strings above are to be found in a field other then ACTION - I do not want those records returned !

While in the second search, where things are logically as I want them to be - a field search - and I am forced by logic to use wild-carding - Splunk is as slow as one cannot work with that.

Any idea?
best

Altin

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2020 07:21 AM

Hi @altink,

when you use "*" your searches are always slower than fixed strings or words!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

altink
Builder
‎10-19-2020 05:48 AM

thank you @gcusello 

But the strings I am searching for:

1. are to be found only inside ACTION field - and if others not returned
2. they are not field values in whole, they are part of field value, and as such wild card is required

best

Altin

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...