Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How splunk search work

indeed_2000
Motivator
‎12-08-2021 08:12 PM

Hi

I have 4 huge log file that ingest into the Splunk

File1

File2

File3

File4

 

Now i want to know when i search specific string that only exist in the file1, what will be happen?

What happens in the search process, for example if i exclude file2,3,4, does it effect in my search performance? Or Splunk automatically ignore them because they have not contain that string.

 

Any idea?

 

Thanks

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 12:03 AM

Hi

You should read this e.g. from https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutoptimization

There are lot of information on splunk's own documentation and also on .conf presentations e.g. https://conf.splunk.com/files/2019/slides/FN1407.pdf just search with "search optimisation"  from conf online page.

Shortly to your question.

If those are same file but different occurrences then bot source and sourcetype will be same. But if those are different then you should use "source=.../File1 sourcetype=st_file1" on your SPL to restrict the search to only this file and then it will be more efficiently.

In generally splunk is not good for exclude things, it's much better to include (as you can see on docs). This affects also to performance. So try to use " a OR b OR c" instead of "NOT d".

Here is one more explanation, maybe little bit more detailed than what you are looking? https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-a-detailed-explanation-on-how-Splunk-...

Unfortunately I couldn't found that Splunk_and_MapReduce.pdf anymore from splunk.com, but some copies seems to be available somewhere else. Does anyone known if this is still available also on splunk.com?

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...