Search Factor Question - In regards to search spee...

bgagliardi1 · ‎04-18-2018

I'm currently not using indexer clustering. I'm on all flash storage and I'm looking into increasing the speed of some of my larger indexes, which are about 4-5TB and growing. When I run a 1 day search it is uber slow. CPU performance and memory performance is 10-50%. Would indexer clustering with dedication to searchability factor help me? What would I aim to do to increase search speed? I know there's some customers out there with petabytes of ingestion daily, and I'm betting they don't wait a year for a 15min search to complete.

Thanks

deepashri_123 · ‎04-18-2018

Hey@bgagliardi1,

Following are the options to consider:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Aboutsummaryindexing
1. Use base search to run searches.
2. Use loadjob searches
https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Loadjob
3. Use accelerated reports
4. Use data-model acceleration http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Acceleratedatamodels
5. Make sure you add filters in the start of the search.
6. Use Summary indexing
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usesummaryindexing
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Configurebatchmodesearch
Let me know if this helps!!

Search Factor Question - In regards to search speed what is the efficacy of increasing the SF by N?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!