Search Factor Question - In regards to search spee...

bgagliardi1 · ‎04-18-2018

I'm currently not using indexer clustering. I'm on all flash storage and I'm looking into increasing the speed of some of my larger indexes, which are about 4-5TB and growing. When I run a 1 day search it is uber slow. CPU performance and memory performance is 10-50%. Would indexer clustering with dedication to searchability factor help me? What would I aim to do to increase search speed? I know there's some customers out there with petabytes of ingestion daily, and I'm betting they don't wait a year for a 15min search to complete.

Thanks

deepashri_123 · ‎04-18-2018

Hey@bgagliardi1,

Following are the options to consider:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Aboutsummaryindexing
1. Use base search to run searches.
2. Use loadjob searches
https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Loadjob
3. Use accelerated reports
4. Use data-model acceleration http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Acceleratedatamodels
5. Make sure you add filters in the start of the search.
6. Use Summary indexing
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usesummaryindexing
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Configurebatchmodesearch
Let me know if this helps!!

Search Factor Question - In regards to search speed what is the efficacy of increasing the SF by N?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation