The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.
Better. Stronger. Faster.
Splunk works fine out of the box. As you increase load on your system, though, you'll want to get familiar with ways to enhance its ability to handle that load. We’ll show you how to identify the cause of slow searches and review possible trouble spots in your deployment.
How search optimization helps you do more with less
Slow searches can be caused by inefficient search practices, but they can also be caused by poor data quality. You can find remarkable performance improvements when you resolve things like the incorrect event breaks and time stamp errors in the data. Inefficiencies like these can cause indexers to work overtime both when indexing data and finding the search results. If your searches run more efficiently, they also run faster and complete sooner. Which means the system can handle more of them in the same time!
Things to know
Use the Monitoring Console dashboards to determine if any searches have performance issues that need attention. The Monitoring Console comes with preconfigured health checks in addition to platform alerts. You can modify existing health checks or create new ones. You can interpret results in these dashboards to identify ways to optimize and troubleshoot your deployment.
- Search activity dashboards: The Search activity: Instance and Search activity: Deployment dashboards show search activity across your deployment with detailed information broken down by instance.
- Scheduler activity dashboards: The Scheduler activity: Deployment dashboard shows information about the past executions of scheduled searches, and their success rates. If you have a search head cluster, the Search head clustering Scheduler delegation dashboard deals with how the captain orchestrates scheduler jobs.
- Indexing performance dashboards: The Indexing performance: Deployment and Indexing performance: Instance dashboards show indexing performance across the deployment.
Things to do
- Run a health check. Access and customize the health check to expose issues with source types, among other things.
- Improve your source types. Review the data quality dashboards to identify and resolve data quality issues.
- Tune long running searches. Review the dashboards in the Monitoring Console to see if you notice any heavy consumers of CPU or memory usage.
- Peek at pipelines. Review the indexing performance dashboards to identify any issues or load in a particular pipeline.
- Secure your Splunk. Review the safeguards for risky commands in the Splunk Enterprise Securing Splunk Enterprise Manual.
The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.
Better. Stronger. Faster.
Splunk works fine out of the box. As you increase load on your system, though, you'll want to get familiar with ways to enhance its ability to handle that load. We’ll show you how to identify the cause of slow searches and review possible trouble spots in your deployment.
How search optimization helps you do more with less
Slow searches can be caused by inefficient search practices, but they can also be caused by poor data quality. You can find remarkable performance improvements when you resolve things like the incorrect event breaks and time stamp errors in the data. Inefficiencies like these can cause indexers to work overtime both when indexing data and finding the search results. If your searches run more efficiently, they also run faster and complete sooner. Which means the system can handle more of them in the same time!
Things to know
Use the Monitoring Console dashboards to determine if any searches have performance issues that need attention. The Monitoring Console comes with preconfigured health checks in addition to platform alerts. You can modify existing health checks or create new ones. You can interpret results in these dashboards to identify ways to optimize and troubleshoot your deployment.
- Search activity dashboards: The Search activity: Instance and Search activity: Deployment dashboards show search activity across your deployment with detailed information broken down by instance.
- Scheduler activity dashboards: The Scheduler activity: Deployment dashboard shows information about the past executions of scheduled searches, and their success rates. If you have a search head cluster, the Search head clustering Scheduler delegation dashboard deals with how the captain orchestrates scheduler jobs.
- Indexing performance dashboards: The Indexing performance: Deployment and Indexing performance: Instance dashboards show indexing performance across the deployment.
Things to do
- Run a health check. Access and customize the health check to expose issues with source types, among other things.
- Improve your source types. Review the data quality dashboards to identify and resolve data quality issues.
- Tune long running searches. Review the dashboards in the Monitoring Console to see if you notice any heavy consumers of CPU or memory usage.
- Peek at pipelines. Review the indexing performance dashboards to identify any issues or load in a particular pipeline.
- Secure your Splunk. Review the safeguards for risky commands in the Splunk Enterprise Securing Splunk Enterprise Manual.
