Monitoring Splunk

Splunk search 'plan'

Communicator

Is there anyway to run an sql like 'plan' on a splunk search to determine efficiency?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

Nope. It's an internal discussion topic. I'm in the sustaining group, charged with removing defects and making things more supportable. This is one of the things we would like. It's a bit tricky in that SQL datasets are a bit more expectable than splunk datasets, so something like a plan or explain would take more interpretation for Splunk than for SQL, but still it would be a good tool for aiding in performance analysis.

Things you can do right now:

  • run a search and review the search.log in var/run/dispatch/ it will have some information about expansions, so that you can see how tags, eventtypes, and so on are behaving.
  • review http://www.splunk.com/wiki/Community:PerformanceTroubleshooting , which down in the 'anatomy of a search' will give you a rough idea of how the machinery works, so will give you a good idea how to proceed from an expert perspective.
  • work with support on specific searches you want to go faster

If you have specific components of the information that a plan or explain would provide that are most crucial, we'd love to hear about them, and the shape of the problems you face that make these important. Any assistance our customers can provide in scheduling decisions is very much appreciated. I can copy things into formal enhancement requests, but ideally those kinds of things arrive via the support channel.

View solution in original post

Splunk Employee
Splunk Employee

Nope. It's an internal discussion topic. I'm in the sustaining group, charged with removing defects and making things more supportable. This is one of the things we would like. It's a bit tricky in that SQL datasets are a bit more expectable than splunk datasets, so something like a plan or explain would take more interpretation for Splunk than for SQL, but still it would be a good tool for aiding in performance analysis.

Things you can do right now:

  • run a search and review the search.log in var/run/dispatch/ it will have some information about expansions, so that you can see how tags, eventtypes, and so on are behaving.
  • review http://www.splunk.com/wiki/Community:PerformanceTroubleshooting , which down in the 'anatomy of a search' will give you a rough idea of how the machinery works, so will give you a good idea how to proceed from an expert perspective.
  • work with support on specific searches you want to go faster

If you have specific components of the information that a plan or explain would provide that are most crucial, we'd love to hear about them, and the shape of the problems you face that make these important. Any assistance our customers can provide in scheduling decisions is very much appreciated. I can copy things into formal enhancement requests, but ideally those kinds of things arrive via the support channel.

View solution in original post

Splunk Employee
Splunk Employee

Yep, that was our initial work on this sort of goal. I heard about it but hadn't tried it yet. I should perhaps edit it into my reply. I pushed for the inspect action to allow review of the search log as well.

0 Karma

Super Champion

I noticed in Splunk 4.1.1, there is now an inspect search option on the actions drop-down menu. This isn't as detailed as a "plan", but it does give you some key information about your search along with a graph showing search times by component, as well as some component invocation counts. It's certainly a starting point.

0 Karma

Contributor

This would be very cool-- like what SQL Server does with Graphical Showplan, or even (much simpler) what MySQL does with EXPLAIN.

0 Karma