Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding a search is dense or sparse or rare search by looking into search dispatch directory.

sibanandapani1
Explorer
‎10-15-2014 03:54 PM

We have few searches. How to find whether search is a rare search, or Dense or Sparse search.

Was there anywhere log for this thing. Please help me.

Tags (1)
0 Karma
Reply

jluste
Path Finder
‎10-24-2014 11:04 AM

Taken from Slide 26 of the Search Optimization in 500 Easy Steps presentation given at .conf2014 by Julian Harty.

How can I determine if my search is Dense or Sparse?
Use Job Inspector…

scanCount = The number of events that are scanned or read off disk.
eventCount = Number of events that are returned to base search

• For dense searches scanCount ~= eventCount.
• For sparse searches, scanCount >> eventCount.

Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...