Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different search performance for two sourcetype

pradeepchhetri
Engager
‎06-20-2014 02:21 AM

Hi,

We have a splunk machine running with all the events going to one index. I noticed that for two different sourcetype, I got different search performance. For one of the sourcetype, searching happened very quickly but it was very slow for the other. Can someone explain me why i am getting such a difference.

Regards.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-20-2014 04:22 AM

Hi pradeepchhetri,

This is the kind of question, that is almost impossible for anyone to answer, except to you - because you know your setup, know your events, know your server's load and so on.....

here are some basic troubleshooting things:

  • do both sourcetypes have exactly the same event count over the exact same time range?
  • is your search head / indexer over loaded?
  • are there any saved searches running?
  • check the job inspector to get any idea why one search is running slower as the other.

you see, there is a lot to check for you.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-20-2014 04:22 AM

Hi pradeepchhetri,

This is the kind of question, that is almost impossible for anyone to answer, except to you - because you know your setup, know your events, know your server's load and so on.....

here are some basic troubleshooting things:

  • do both sourcetypes have exactly the same event count over the exact same time range?
  • is your search head / indexer over loaded?
  • are there any saved searches running?
  • check the job inspector to get any idea why one search is running slower as the other.

you see, there is a lot to check for you.

cheers, MuS

Reply
Solved! Jump to solution

pradeepchhetri
Engager
‎06-22-2014 11:48 PM

@Mus: @martin_mueller: Just realized that the difference was due to fast-mode and smart-mode search types, although both has same number of events. Thank you for the help.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-20-2014 07:43 AM

I'm going to guess that production will have much more data than staging.

0 Karma
Reply
Solved! Jump to solution

pradeepchhetri
Engager
‎06-20-2014 05:01 AM

@Mus: Thank you for the reply. I will do the troubleshooting accordingly and let you know the outcome.

0 Karma
Reply
Solved! Jump to solution

pradeepchhetri
Engager
‎06-20-2014 02:59 AM

my search query just includes: sourcetype="production" and sourcetype="staging"

0 Karma
Reply
Solved! Jump to solution

splunker12er
Motivator
‎06-20-2014 02:43 AM

Can you post your search query ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...