Splunk Search

Finding a search is dense or sparse or rare search by looking into search dispatch directory.

sibanandapani1
Explorer

We have few searches. How to find whether search is a rare search, or Dense or Sparse search.

Was there anywhere log for this thing. Please help me.

Tags (1)
0 Karma

jluste
Path Finder

Taken from Slide 26 of the Search Optimization in 500 Easy Steps presentation given at .conf2014 by Julian Harty.

How can I determine if my search is Dense or Sparse?
Use Job Inspector…

scanCount = The number of events that are scanned or read off disk.
eventCount = Number of events that are returned to base search

• For dense searches scanCount ~= eventCount.
• For sparse searches, scanCount >> eventCount.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...