Installation
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dbquery run slower after upgrade to splunk 7.0 from 6.4.1

sylim_splunk
Splunk Employee
Splunk Employee
‎02-02-2018 03:23 PM

When comparing runtime of dbquery between splunk 7.0.0 and splunk 6.4.1 the query with 7.0 takes slightly longer than that with 6.4.1. This is not a critical issue but want to know why.

Job Inspector shows like below - as you can find splunk 6.4 has less entries.

From Splunk 7.0.0 + db_connect 3.1.2
Duration (seconds) Component Invocations Input count Output count
1.52 command.dbxquery 1 - 13
0.00 dispatch.check_disk_usage 1 - -
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.68 dispatch.evaluate 1 - -
0.68 dispatch.evaluate.dbxquery 1 - -
0.00 dispatch.evaluate.noop 1 - -
0.68 dispatch.optimize.FinalEval 1 - -
0.65 dispatch.optimize.matchReportAcceleration 1 - -
0.02 dispatch.optimize.optimization 1 - -
0.02 dispatch.optimize.reparse 1 - -
0.73 dispatch.optimize.toJson 1 - -
0.00 dispatch.optimize.toSpl 1 - -
0.01 dispatch.writeStatus 7 - -
0.03 startup.configuration 1 - -
0.06 startup.handoff 1 - -

From Splunk 6.4.1 + 3.1.2
1.88 command.dbxquery 1 - 13
0.00 dispatch.check_disk_usage 1 - -
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.69 dispatch.evaluate 1 - -
0.69 dispatch.evaluate.dbxquery 1 - -
0.01 dispatch.writeStatus 6 - -
0.03 startup.configuration 1 - -
0.06 startup.handoff 1 - -

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎02-02-2018 03:34 PM

As you can see, those entries are from search optimization feature which was just introduced to 6.5. This just kicks in before it actually start search. The symptom disappears after it disabled as suggested in the link below and performance wise it worked well as expected. It's not something we should disable but it worked for the case.

In $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/limits.conf
[search_optimization]
enabled=false

You can find more information from the documentation;
http://docs.splunk.com/Documentation/Splunk/latest/Search/Built-inoptimization#Turn_off_optimization...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎02-02-2018 03:34 PM

As you can see, those entries are from search optimization feature which was just introduced to 6.5. This just kicks in before it actually start search. The symptom disappears after it disabled as suggested in the link below and performance wise it worked well as expected. It's not something we should disable but it worked for the case.

In $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/limits.conf
[search_optimization]
enabled=false

You can find more information from the documentation;
http://docs.splunk.com/Documentation/Splunk/latest/Search/Built-inoptimization#Turn_off_optimization...

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
li.common.scroll-to.top