Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different search performance for two sourcetype

pradeepchhetri
Engager
‎06-20-2014 02:21 AM

Hi,

We have a splunk machine running with all the events going to one index. I noticed that for two different sourcetype, I got different search performance. For one of the sourcetype, searching happened very quickly but it was very slow for the other. Can someone explain me why i am getting such a difference.

Regards.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎06-20-2014 04:22 AM

Hi pradeepchhetri,

This is the kind of question, that is almost impossible for anyone to answer, except to you - because you know your setup, know your events, know your server's load and so on.....

here are some basic troubleshooting things:

  • do both sourcetypes have exactly the same event count over the exact same time range?
  • is your search head / indexer over loaded?
  • are there any saved searches running?
  • check the job inspector to get any idea why one search is running slower as the other.

you see, there is a lot to check for you.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎06-20-2014 04:22 AM

Hi pradeepchhetri,

This is the kind of question, that is almost impossible for anyone to answer, except to you - because you know your setup, know your events, know your server's load and so on.....

here are some basic troubleshooting things:

  • do both sourcetypes have exactly the same event count over the exact same time range?
  • is your search head / indexer over loaded?
  • are there any saved searches running?
  • check the job inspector to get any idea why one search is running slower as the other.

you see, there is a lot to check for you.

cheers, MuS

Reply
Solved! Jump to solution

pradeepchhetri
Engager
‎06-22-2014 11:48 PM

@Mus: @martin_mueller: Just realized that the difference was due to fast-mode and smart-mode search types, although both has same number of events. Thank you for the help.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-20-2014 07:43 AM

I'm going to guess that production will have much more data than staging.

0 Karma
Reply
Solved! Jump to solution

pradeepchhetri
Engager
‎06-20-2014 05:01 AM

@Mus: Thank you for the reply. I will do the troubleshooting accordingly and let you know the outcome.

0 Karma
Reply
Solved! Jump to solution

pradeepchhetri
Engager
‎06-20-2014 02:59 AM

my search query just includes: sourcetype="production" and sourcetype="staging"

0 Karma
Reply
Solved! Jump to solution

splunker12er
Motivator
‎06-20-2014 02:43 AM

Can you post your search query ?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...