Is there anyway to run an sql like 'plan' on a splunk search to determine efficiency?
Nope. It's an internal discussion topic. I'm in the sustaining group, charged with removing defects and making things more supportable. This is one of the things we would like. It's a bit tricky in that SQL datasets are a bit more expectable than splunk datasets, so something like a plan or explain would take more interpretation for Splunk than for SQL, but still it would be a good tool for aiding in performance analysis.
Things you can do right now:
If you have specific components of the information that a plan or explain would provide that are most crucial, we'd love to hear about them, and the shape of the problems you face that make these important. Any assistance our customers can provide in scheduling decisions is very much appreciated. I can copy things into formal enhancement requests, but ideally those kinds of things arrive via the support channel.
Nope. It's an internal discussion topic. I'm in the sustaining group, charged with removing defects and making things more supportable. This is one of the things we would like. It's a bit tricky in that SQL datasets are a bit more expectable than splunk datasets, so something like a plan or explain would take more interpretation for Splunk than for SQL, but still it would be a good tool for aiding in performance analysis.
Things you can do right now:
If you have specific components of the information that a plan or explain would provide that are most crucial, we'd love to hear about them, and the shape of the problems you face that make these important. Any assistance our customers can provide in scheduling decisions is very much appreciated. I can copy things into formal enhancement requests, but ideally those kinds of things arrive via the support channel.
Yep, that was our initial work on this sort of goal. I heard about it but hadn't tried it yet. I should perhaps edit it into my reply. I pushed for the inspect action to allow review of the search log as well.
I noticed in Splunk 4.1.1, there is now an inspect search option on the actions drop-down menu. This isn't as detailed as a "plan", but it does give you some key information about your search along with a graph showing search times by component, as well as some component invocation counts. It's certainly a starting point.
This would be very cool-- like what SQL Server does with Graphical Showplan, or even (much simpler) what MySQL does with EXPLAIN.