Solved: Re: Splunk search 'plan'

bfaber · ‎04-29-2010

Is there anyway to run an sql like 'plan' on a splunk search to determine efficiency?

jrodman · ‎04-29-2010

Nope. It's an internal discussion topic. I'm in the sustaining group, charged with removing defects and making things more supportable. This is one of the things we would like. It's a bit tricky in that SQL datasets are a bit more expectable than splunk datasets, so something like a plan or explain would take more interpretation for Splunk than for SQL, but still it would be a good tool for aiding in performance analysis.

Things you can do right now:

run a search and review the search.log in var/run/dispatch/ it will have some information about expansions, so that you can see how tags, eventtypes, and so on are behaving.
review http://www.splunk.com/wiki/Community:PerformanceTroubleshooting , which down in the 'anatomy of a search' will give you a rough idea of how the machinery works, so will give you a good idea how to proceed from an expert perspective.
work with support on specific searches you want to go faster

If you have specific components of the information that a plan or explain would provide that are most crucial, we'd love to hear about them, and the shape of the problems you face that make these important. Any assistance our customers can provide in scheduling decisions is very much appreciated. I can copy things into formal enhancement requests, but ideally those kinds of things arrive via the support channel.

View solution in original post

jrodman · ‎04-29-2010

Nope. It's an internal discussion topic. I'm in the sustaining group, charged with removing defects and making things more supportable. This is one of the things we would like. It's a bit tricky in that SQL datasets are a bit more expectable than splunk datasets, so something like a plan or explain would take more interpretation for Splunk than for SQL, but still it would be a good tool for aiding in performance analysis.

Things you can do right now:

run a search and review the search.log in var/run/dispatch/ it will have some information about expansions, so that you can see how tags, eventtypes, and so on are behaving.
review http://www.splunk.com/wiki/Community:PerformanceTroubleshooting , which down in the 'anatomy of a search' will give you a rough idea of how the machinery works, so will give you a good idea how to proceed from an expert perspective.
work with support on specific searches you want to go faster

If you have specific components of the information that a plan or explain would provide that are most crucial, we'd love to hear about them, and the shape of the problems you face that make these important. Any assistance our customers can provide in scheduling decisions is very much appreciated. I can copy things into formal enhancement requests, but ideally those kinds of things arrive via the support channel.

jrodman · ‎05-03-2010

Yep, that was our initial work on this sort of goal. I heard about it but hadn't tried it yet. I should perhaps edit it into my reply. I pushed for the inspect action to allow review of the search log as well.

Lowell · ‎04-29-2010

I noticed in Splunk 4.1.1, there is now an inspect search option on the actions drop-down menu. This isn't as detailed as a "plan", but it does give you some key information about your search along with a graph showing search times by component, as well as some component invocation counts. It's certainly a starting point.

Justin_Grant · ‎04-29-2010

This would be very cool-- like what SQL Server does with Graphical Showplan, or even (much simpler) what MySQL does with EXPLAIN.

Splunk search 'plan'

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk