No my saved searches are not scheduled.Is there anyway I can get faster response without scheduling saved searches.
even i am facing this issue. please help. i see the search getting completed on splunk UI but not through java client.
The SDK doesn't add any extra overhead and the response time should be very similar to the Splunk UI. You mentioned that you are using saved searches to pull data from Splunk. Is the saved search scheduled? If so, you should use the history function on the saved search object to retrieve the last run instance. That should be speed things up hopefully.
How big is the index you search?
I have noticed that searching an index of size 1m events if I did not limit the results with | head 50000
(could be other value es well, I used this to be in sync with the REST API result limit in limits.conf) Splunk will search through all 1m event and then return 50000 (as it is configured in limits.conf)
Shouldn't be any difference.
Below is the code am using from java
Job job =null;
Map
inputArgs.put("ttl",30);
job = service.getJobs().create("|savedsearch mysavedsearch earliest=-1440m@m latest=now span=1hr",inputArgs);
while (!job.isDone())
{try Thread.sleep(2000);}catch (InterruptedException e) {}
job.refresh();
} Map
outputArgs.put("output_mode","json"); InputStream stream = job.getResults(outputArgs);
Thanks Neeraj.
My main concern is API is taking more time(30 to 40 sec) some times, and sometimes it is very fast(5 to 6 sec).
In Splunk UI it is very fast,within 2 sec am getting the results.
My Java Application will be hitting by multiple users.Is it creating any slowness.
No, this will also work. You are doing the same thing, creating a job from a saved search.
Service.getJobs().create("mysavedsearch"',inputargs)
Here am just retreiving the savedsearch right.Am I creating any new saved searches on the server.I just need to retreive it
Thanks Neeraj
This should work. Another way to approach this would be to create/save the search on the server and then dispatch it as follows to get a handle on the Job. With this approach, you can decide to schedule it in the fure and then use the history method for faster returns.
SavedSearch ss = service.getSavedSearches().get("my_saved_search");
Job job = ss.dispatch();
while (!job.isReady()) {
Thread.sleep(1000);
}
Hi Neeraj
In my java code am using in below format
Service.getJobs().create("mysavedsearch"',inputargs)
From above am retreiving the job details .Is this approach is a good one.
No my saved searches are not scheduled.Is there anyway I can get faster response without scheduling saved searches.
(20 secs ago)bubby248