Re: Determining bytes scanned during a search?

Beaker77 · ‎12-05-2019

Hey there Splunkers!

Similar to the question "How is the Size value on the job page calculated and logged in Splunk?" how can I determine how much disk is scanned when a search is run?

I can get the event_count and scan_count from the search head logs, but are bytes scanned logged in a file anywhere, or do I have to use diskUsage in | rest splunk_server=local /services/search/jobs?

Gracias!

gcusello · ‎12-06-2019

Hi @Beaker77,
what do you mean with "scanned"?
if you mean disk used for each search job one Splunk server you can use diskUsage.

Ciao.
Giuseppe

Beaker77 · ‎12-06-2019

Hey @gcusello - By scanned I mean the total number of bytes examined in a search (not necessarily the number of bytes returned in the results).

The docs say diskUsage is "The total amount of disk space used, in bytes." so I think that's the compressed size of the matching events returned from a search as stored on disk in the dispatch folder.

Thanks for chiming in 🙂

gcusello · ‎12-07-2019

Hi @Beaker77,
sincerely I don't know the total number of bytes examined and I don't know if it's possible to extract it.
It's possible to know the number of scanned events and you could calculate an average, but anyway why do you need to know this?

You can have the number of scanned events from Job Inspector or taking from job properties scan.count.
For more details see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/ViewsearchjobpropertieswiththeJobInspector .

Ciao.
Giuseppe

Determining bytes scanned during a search?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?