Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How splunk search work

indeed_2000
Motivator
‎12-08-2021 08:12 PM

Hi

I have 4 huge log file that ingest into the Splunk

File1

File2

File3

File4

 

Now i want to know when i search specific string that only exist in the file1, what will be happen?

What happens in the search process, for example if i exclude file2,3,4, does it effect in my search performance? Or Splunk automatically ignore them because they have not contain that string.

 

Any idea?

 

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 12:03 AM

Hi

You should read this e.g. from https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutoptimization

There are lot of information on splunk's own documentation and also on .conf presentations e.g. https://conf.splunk.com/files/2019/slides/FN1407.pdf just search with "search optimisation"  from conf online page.

Shortly to your question.

If those are same file but different occurrences then bot source and sourcetype will be same. But if those are different then you should use "source=.../File1 sourcetype=st_file1" on your SPL to restrict the search to only this file and then it will be more efficiently.

In generally splunk is not good for exclude things, it's much better to include (as you can see on docs). This affects also to performance. So try to use " a OR b OR c" instead of "NOT d".

Here is one more explanation, maybe little bit more detailed than what you are looking? https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-a-detailed-explanation-on-how-Splunk-...

Unfortunately I couldn't found that Splunk_and_MapReduce.pdf anymore from splunk.com, but some copies seems to be available somewhere else. Does anyone known if this is still available also on splunk.com?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...