Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding a search is dense or sparse or rare search by looking into search dispatch directory.

sibanandapani1
Explorer
‎10-15-2014 03:54 PM

We have few searches. How to find whether search is a rare search, or Dense or Sparse search.

Was there anywhere log for this thing. Please help me.

Tags (1)
0 Karma
Reply

jluste
Path Finder
‎10-24-2014 11:04 AM

Taken from Slide 26 of the Search Optimization in 500 Easy Steps presentation given at .conf2014 by Julian Harty.

How can I determine if my search is Dense or Sparse?
Use Job Inspector…

scanCount = The number of events that are scanned or read off disk.
eventCount = Number of events that are returned to base search

• For dense searches scanCount ~= eventCount.
• For sparse searches, scanCount >> eventCount.

Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...