Splunk Search

Ideas on a timechart with large volume

subtrakt
Contributor

Hi!
I have a timechart that run every ten minutes but the event volume is very high and sometimes the query won't complete in 10 minutes. The query is using an index also.

I'm open to any options. I just need to know percentage from about 6 different sources of traffic defined in a lookup "NAME" field.

Can timecharts rollover? I would think the chart could run a search once then constantly rollover into itself every 10 minutes instead of re-running the entire search again.

... | timechart span="2m" count by NAME

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

Check if you cannot optimize your lookup to happen after the timechart, instead of before. To avoid doing it for each event.

mysearch | bucket _time span=2m | stats count by fieldA _time | LOOKUP mylookup fieldA OUTPUT fieldB | timechart span=2m count by fieldB

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That search looks very accelerate-able, try checking the Report Acceleration box.

0 Karma

subtrakt
Contributor

index=eAGG* sourcetype="AGG" SRC_CATEGORY="Aggregation" | timechart span="2m" count by SRC_NAME limit=12 useother=f

the scheduled search is set to delete saved search after 10 minutes because i figured it would fill up the splunk drive with tons of saved searches that are executed every 10 mins.

0 Karma

Ayn
Legend

This sounds like a good way to keep Splunk way too busy with rereading huge amounts of data over and over again. You should consider doing some kind of acceleration or summary indexing. Tell us more about your scenario, your data and your exact query and I'm sure we can come up with some good options.

0 Karma

subtrakt
Contributor

2 hour earliest search that is scheduled to run every 10 minutes.

0 Karma

MuS
SplunkTrust
SplunkTrust

I assume you only search the last 10 minutes if your run your timechart search at this interval? like:

you base search earliest=-10m | ...
0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...