Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I identify field extractions that are causing performance problems?

pkeller
Contributor
‎09-19-2016 08:45 AM

Is there a log configuration option that will have splunkd logging when poorly written field extractions are impacting search performance? (or is there some other option to use a Splunk search to identify extraction related performance issues?)

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎09-28-2016 09:59 AM

Sounds like you already know field extraction is the issue, and which search is slow and have performance issue. And, you would like to know which field extraction is causing performance issue for the search.

Most likely log you get help is search.log in your search artifact. So, enabling DEBUG log ( $SPLUNK_HOME/etc/log-searchprocess.cfg) might help. But, usually reading through the debug log cannot really help except for you see some error or warn message. So, identifying which field extraction is causing performance issue is usually difficult to be identified by a log file.

I would try to break it down to pieces and see when the performance issue happens.

If you're not sure if field extraction is causing the search performance issue, this troubleshooting would be more complicated, indexers, buckets, event volume, memory, search commands types, etc, etc.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2016 09:17 AM

You could use the job inspection to examine your search.
You can find it under the Process button.
Everyway I suggest to verfy disk i/o that should be at least 800 iops, usually this is the Splunk performances problem, I used bonnie++.
Bye.
Giuseppe

0 Karma
Reply

pkeller
Contributor
‎09-19-2016 09:31 AM

Thank you. Yes, I use the job inspector often. I was more interested in identification of bad extractions for searches that others are running in the hopes of mitigating issues before they affect other users. Like maybe something in splunkd.log that I could use to alert us when a bad extraction is negatively impacting search performance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...