Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How splunk search work

indeed_2000
Motivator
‎12-08-2021 08:12 PM

Hi

I have 4 huge log file that ingest into the Splunk

File1

File2

File3

File4

 

Now i want to know when i search specific string that only exist in the file1, what will be happen?

What happens in the search process, for example if i exclude file2,3,4, does it effect in my search performance? Or Splunk automatically ignore them because they have not contain that string.

 

Any idea?

 

Thanks

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 12:03 AM

Hi

You should read this e.g. from https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutoptimization

There are lot of information on splunk's own documentation and also on .conf presentations e.g. https://conf.splunk.com/files/2019/slides/FN1407.pdf just search with "search optimisation"  from conf online page.

Shortly to your question.

If those are same file but different occurrences then bot source and sourcetype will be same. But if those are different then you should use "source=.../File1 sourcetype=st_file1" on your SPL to restrict the search to only this file and then it will be more efficiently.

In generally splunk is not good for exclude things, it's much better to include (as you can see on docs). This affects also to performance. So try to use " a OR b OR c" instead of "NOT d".

Here is one more explanation, maybe little bit more detailed than what you are looking? https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-a-detailed-explanation-on-how-Splunk-...

Unfortunately I couldn't found that Splunk_and_MapReduce.pdf anymore from splunk.com, but some copies seems to be available somewhere else. Does anyone known if this is still available also on splunk.com?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top