Splunk Search

Finding a search is dense or sparse or rare search by looking into search dispatch directory.

sibanandapani1
Explorer

We have few searches. How to find whether search is a rare search, or Dense or Sparse search.

Was there anywhere log for this thing. Please help me.

Tags (1)
0 Karma

jluste
Path Finder

Taken from Slide 26 of the Search Optimization in 500 Easy Steps presentation given at .conf2014 by Julian Harty.

How can I determine if my search is Dense or Sparse?
Use Job Inspector…

scanCount = The number of events that are scanned or read off disk.
eventCount = Number of events that are returned to base search

• For dense searches scanCount ~= eventCount.
• For sparse searches, scanCount >> eventCount.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...