Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is the search job inspector option the best way to determine the performance of a search query?

vpurushottam
Explorer
‎02-11-2019 12:27 PM

Hi,

I am pretty new to Splunk and wanted to know how to determine the performance of a query? Is it through the "Inspect Job" option?

And also, can anyone help me with optimizing the following query or is it already optimized?:

index = "example" 
|lookup Lookup_1 RecordNumber OUTPUT Location, VIP_Guest_Number
|search Location != ""
|eval Guest_Name=upper(Guest_LN) + ", "+upper(Guest_FN) 
|lookup Lookup_2 "User ID" as UID OUTPUT "Department Name" as Department, "Institution" as Institution, Title, Manager as MUID 
|table Arrival_Date, UID, User_Name, RecordNumber, Guest_Name, Location, VIP_Guest_Number, Metric_Name, Department, Institution, Title, MUID

This query takes about 220 seconds (as seen on the Inspect Job tab) to generate results when given around 12-13 million rows.

Is there any way I can make it work faster or is it what it is?

Thank you in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-11-2019 12:32 PM

This is an excellent video about the job inspector: https://www.youtube.com/watch?v=n3OqaB6GVXs

Docs article explaining what the job inspector fields mean: https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/ViewsearchjobpropertieswiththeJobInspector

Good article about writing better searches: https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Writebettersearches

Your query already looks really good to me. There is nothing obvious I can see for making it faster. Lookups are typically very quick. All your commands you used are distributable to the indexers so they benefit well from parallelisation.

View solution in original post

Reply
Solved! Jump to solution

gstultz_splunk
Splunk Employee
Splunk Employee
‎05-08-2020 12:23 PM

I can think of a few things that may speed up the search...in no particular order try these.
1. Limit the initial time range for the "index="example". You can eliminate a lot of buckets by specifying the time.
2. Do you need all of the fields returned by the initial "index = "example" portion? If not, use the "fields" command to reduce the amount of data that is manipulated.

3. Can you be more specific in your initial search? If you can add more matching key/value pairs to reduce the data so much the better
4. Use the "Fast" mode to search, not Smart or Verbose modes.
5. Replace the ... | search Location != "" line with ... | where isnotnull(Location). != forces all of the data to be searched first, then return the events that don't match.
6. Move the eval statement after the second lookup.

I'd be curious to hear if there's any time improvements.

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-11-2019 12:32 PM

This is an excellent video about the job inspector: https://www.youtube.com/watch?v=n3OqaB6GVXs

Docs article explaining what the job inspector fields mean: https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/ViewsearchjobpropertieswiththeJobInspector

Good article about writing better searches: https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Writebettersearches

Your query already looks really good to me. There is nothing obvious I can see for making it faster. Lookups are typically very quick. All your commands you used are distributable to the indexers so they benefit well from parallelisation.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...