This widget could not be displayed.
  • This widget could not be displayed.
  • ">Events
  • Monitoring Splunk

    What exactly is 'dispatch.fetch' and 'dispatch.stream.local' and how do I lower its processing time?

    sjanwity
    Communicator

    I have a report which searches through an index of extracted database rows and performs transaction on them as well as some other eval processing, such as flattening multivalue fields and establishing a new column based on the result. The database is big and grows day by day with the new changes being fed into the index through a 30-min cron job on splunk.

    The search was taking quite long so I moved the transaction command to another process as detailed in http://answers.splunk.com/answers/187124/collecting-results-from-a-transaction-command-does.html but the search is still taking a while:

    This search has completed and has returned 10,000 results by scanning 363,488 events in 212.374 seconds.
    
    Execution costs
    
    Duration (seconds)      Component   Invocations Input count Output count
        22.146  command.eval    288 2,907,896   2,907,896
        0.033   command.fields  36  363,487 363,487
        11.998  command.presort 1   363,487 293,488
        94.876  command.search  288 2,544,414   2,907,901
        85.51   command.search.kv   32  -   -
        7.297   command.search.filter   252 -   -
        1.431   command.search.rawdata  32  -   -
        0.036   command.search.fieldalias   32  363,488 363,488
        0.036   command.search.typer    36  363,488 363,488
        0.035   command.search.tags 36  363,488 363,488
        0.032   command.search.calcfields   32  363,488 363,488
        0.032   command.search.lookups  32  363,488 363,488
        0.02    command.search.summary  36  -   -
        0   command.search.index.usec_1_8   2   -   -
        0   command.search.index.usec_4096_32768    8   -   -
        0   command.search.index.usec_512_4096  23  -   -
        0   command.search.index.usec_64_512    5   -   -
        0   command.search.index.usec_8_64  15  -   -
        0.199   command.sort    1   1,550,569   10,000
        15.166  command.table   1   363,487 1,914,056
        0.014   dispatch.check_disk_usage   14  -   -
        0.054   dispatch.createProviderQueue    1   -   -
        13.166  dispatch.emit_prereport_files   32  -   -
        0.323   dispatch.evaluate   1   -   -
        0.329   dispatch.evaluate.search    8   -   -
        0.008   dispatch.evaluate.eval  8   -   -
        0.001   dispatch.evaluate.sort  1   -   -
        0.001   dispatch.evaluate.table 1   -   -
        116.744 dispatch.fetch  37  -   -
        50.53   dispatch.preview    7   -   -
        24.696  dispatch.preview.command.table  7   840,261 4,027,761
        23.473  dispatch.preview.command.presort    7   840,261 675,262
        0.875   dispatch.preview.command.sort   7   3,170,000   70,000
        0.397   dispatch.preview.write_results_to_disk  7   -   -
        0.001   dispatch.reduce 1   -   -
        116.736 dispatch.stream.local   36  -   -
        2.191   dispatch.writeStatus    42  -   -
        0.094   startup.handoff 1   -   -
    

    as you can see the dispatch is taking the lion's share of processing time. How can I optimise this?

    0 Karma
    1 Solution

    martin_mueller
    SplunkTrust
    SplunkTrust

    That dispatch.stream.local is time spent on streaming data from your local indexer. In other words, it looks like it's doing about 3000 events per second... if that's a dense search then you may want to get faster cores on that machine. What's your hardware specs?

    http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/HowsearchtypesaffectSplunkEnterpriseperfo...

    You might save some time by turning preview off, see dispatch.preview eating a nice chunk on top. That might not matter for the scheduled executions though.

    search.kv is eating a lot as well, consider | fields'ing your data before piping it into the transaction to only extract fields you actually need.

    View solution in original post

    martin_mueller
    SplunkTrust
    SplunkTrust

    That dispatch.stream.local is time spent on streaming data from your local indexer. In other words, it looks like it's doing about 3000 events per second... if that's a dense search then you may want to get faster cores on that machine. What's your hardware specs?

    http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/HowsearchtypesaffectSplunkEnterpriseperfo...

    You might save some time by turning preview off, see dispatch.preview eating a nice chunk on top. That might not matter for the scheduled executions though.

    search.kv is eating a lot as well, consider | fields'ing your data before piping it into the transaction to only extract fields you actually need.

    sjanwity
    Communicator

    that fields tip did the trick, thanks! Do you have any other optimisation pointers? I also do a table and sort on the end result to display data better. Is there a cheaper way of re-arranging the columns and sorting them?

    MuS
    Legend

    have a look at this nice post http://answers.splunk.com/answers/172275/how-do-optimizations-for-field-based-searches-work.html to lear more about search optimizations

    sjanwity
    Communicator

    Note: in my splunk search, I generally want splunk to return everything. I have a few form-based input filters but by default they are set to '*'. Is there a way to quicken the search with this?

    0 Karma
    Get Updates on the Splunk Community!

    Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

    WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

    Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

    Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

    Enterprise Security Content Update (ESCU) | New Releases

    In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...