Splunk Search

In the job inspection report what does the value 'command.search.expand_search' relate to?

Ruttager
Engager

Hi,

I'm very new to Splunk and I'm looking at a single node instance that's being used in our office to store a large amount of data (over 1 billion records) the performance is off with most searches taking minutes to complete. I was looking at the job inspector to see where the delays were lying and I was expected to see a lot of IO delay (which I do) However, there is this one field command.search.expand_search which takes about 50% of the total search time to complete, googling it brings up nothing. Can anyone shed any light on what is actually happening underneath?

Thanks

Tags (1)

Ruttager
Engager

Splunk version is 7.0.0

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...