Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I optimize the performance of my search?

m_vivek
Path Finder
‎10-28-2015 02:19 PM

I am doing a simple search:

index=pqr host=xyz* NOT TYPE="*ABCDE*" | fields X, Y | timechart limit=0 span=10m count, avg(X) by Y

on a two week period.
The search has been running for more than two hours now and is still only at about 60%. Is there a way to make it run faster?

Also sometimes I get

'search has been remotely
cancelled or expired'

What does that mean? how do I prevent a search from getting cancelled?

0 Karma
Reply

woodcock
Esteemed Legend
‎10-31-2015 06:23 AM

To answer your question directly, you can prevent it from happening by EITHER speeding up your search OR clicking on the Jobs menu click Send Job to Background and your job will NOT timeout and you can opt to receive an email when the job completes.

Reply

muebel
SplunkTrust
SplunkTrust
‎10-28-2015 05:30 PM

This looks like a good case for a summary index. Populate the index every 10 minutes with your stats, and then you search the summaries when you want to build a trend.

0 Karma
Reply

m_vivek
Path Finder
‎10-29-2015 10:17 AM

hi muebel, could you elaborate some. i'm pretty new to splunk .

0 Karma
Reply

somesoni2
Revered Legend
‎10-29-2015 10:44 AM

Some reading about summary indexing available here.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Usesummaryindexing

0 Karma
Reply

somesoni2
Revered Legend
‎10-28-2015 02:40 PM

Give this a try

index=pqr host=xyz* TYPE!="*ABCDE*" | table _time, X, Y | timechart limit=0 span=10m count, avg(X) by Y

Also, if the data span is to a limited sourcetypes, please add them as well as filter.

Reply

m_vivek
Path Finder
‎10-28-2015 10:32 PM

when i tried above, its running but all fields are staying blank. So i replaced 'table _time' with 'fields' and it's working better.
Is there anyway I can measure/compare the performance of the two search queries in terms of total approx. run time?

0 Karma
Reply

somesoni2
Revered Legend
‎10-29-2015 10:43 AM

YOu can check the job inspector (there is a job menu just below the search bar towards the right side) which shows the amount of time taken by the search.

0 Karma
Reply

walkerhound
Path Finder
‎10-28-2015 02:24 PM

According to this link: http://docs.splunk.com/Documentation/Splunk/6.3.0/Search/Writebettersearches
you should avoid using NOT wherever possible

Reply

MuS
SplunkTrust
SplunkTrust
‎10-28-2015 02:39 PM

Also, do not use * searches. Since Splunk will have to read in your example, all events containing host fields from disk and compare if the values starts with xyz.

Take a good lock at the slide here http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_... to learn more about Search Efficiency Optimisation.

cheers, MuS

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...