Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How splunk search work

indeed_2000
Motivator
‎12-08-2021 08:12 PM

Hi

I have 4 huge log file that ingest into the Splunk

File1

File2

File3

File4

 

Now i want to know when i search specific string that only exist in the file1, what will be happen?

What happens in the search process, for example if i exclude file2,3,4, does it effect in my search performance? Or Splunk automatically ignore them because they have not contain that string.

 

Any idea?

 

Thanks

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 12:03 AM

Hi

You should read this e.g. from https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutoptimization

There are lot of information on splunk's own documentation and also on .conf presentations e.g. https://conf.splunk.com/files/2019/slides/FN1407.pdf just search with "search optimisation"  from conf online page.

Shortly to your question.

If those are same file but different occurrences then bot source and sourcetype will be same. But if those are different then you should use "source=.../File1 sourcetype=st_file1" on your SPL to restrict the search to only this file and then it will be more efficiently.

In generally splunk is not good for exclude things, it's much better to include (as you can see on docs). This affects also to performance. So try to use " a OR b OR c" instead of "NOT d".

Here is one more explanation, maybe little bit more detailed than what you are looking? https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-a-detailed-explanation-on-how-Splunk-...

Unfortunately I couldn't found that Splunk_and_MapReduce.pdf anymore from splunk.com, but some copies seems to be available somewhere else. Does anyone known if this is still available also on splunk.com?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...