Why is Splunk search running slowly?

sekhar463 · ‎02-28-2023

i am using below query which running very slow.

how to modify this query to search and run faster

sekhar463 · ‎03-01-2023

will it be possible fasten the search using above query by changing query.

ITWhisperer · ‎03-01-2023

It is not clear what you mean here - either you want to use the same query or you want to change it

If you want to change it, I have already given you some suggestions. Have you tried them? Did any of them improve the speed?

sekhar463 · ‎03-01-2023

i have tried by changing but did not worked.

search was taking long because to filter only Status= DOWN

if i have search for all it was giving results fast,

is any way to modify the search to get faster

ITWhisperer · ‎03-01-2023

So you tried a summary index? And a csv store?

How about using where instead of search (as in my suggestion)?

sekhar463 · ‎03-01-2023

Tried with where condition but could not work

didn't tried with summary index let me know the steps on summary index on this based on my search

ITWhisperer · ‎03-01-2023

Configure summary indexes - Splunk Documentation

ITWhisperer · ‎02-28-2023

Filter by Age as soon as possible - remove redundant sort

index=_internal source=*metrics.log group=tcpin_connections |fields - _raw
| eval Host=coalesce(hostname, sourceHost)
| eval age=(now()-_time)
| stats
min(age) AS Age
max(_time) AS LastTime
BY Host
| convert ctime(LastTime) AS "Last Active On"
| where age >= 7200
| eval Status="DOWN"
| eval Age=tostring(Age,"duration")
| sort 0 Host
| lookup 0010_Solarwinds_Nodes_Export Caption as Host OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group,Application_Primary AS CMDB2_Application_Primary,Support_Group AS CMDB2_Support_Group

sekhar463 · ‎02-28-2023

Thanks but this also taking long for results.

ITWhisperer · ‎02-28-2023

There are a couple of ways to speed up your search. Reduce your time period - create a summary index and store results there - create scheduled searches and load the results later - buy faster kit! It can also depend on your usecase.

sekhar463 · ‎02-28-2023

can you tell me the steps for this steps :store results there - create scheduled searches and load the results later

use case: i am using above search to get the Forwarder status down using phone home interval

so using above query but for DOWN results it was taking long time

ITWhisperer · ‎02-28-2023

Since Age and LastTime come from the same event i.e. the last time will also generate the lowest age, why not simply keep a csv store with host and last time which you update with outputlookup every so often. That way you can use inputlookup (or even lookup by host) to find when the host was last seen.

Why is Splunk search running slowly?

development

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Why is Splunk search running slowly?

development

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers