Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookups slow performance

cwinkler109
New Member
‎02-25-2019 08:00 PM

Background

  • We are a new SplunkCloud customer and are building out our instance, setting up our indexes, field extractions, etc. I’m currently working on Lookups and and seeing unexpected performance characteristics from the searches I am running.
  • I created an automatic lookup that links the data in one of our indexes to a lookup table that has about 15k rows and 7 columns of data. The automatic lookup links the index to the lookup table via a “guid" field.

Issue:

  • This search takes 48 seconds to complete and has a scan count of 16million index=my_index guid=my_guid
  • This search takes 300ms to complete and has a scan count of 410 index=my_index my_guid

Why is the first search doing all of this extra work? We are about to roll out access to Splunk to about 150 employees. I want to make sure I understand the proper way to recommend people to run searches against this index that is linked to the lookup table.

Thanks in advance,
Chris

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-02-2019 09:14 PM

It depends on how many definitions exist to create the field guid and what types they are. This is a VERY deep topic. Start here and pay special attention to the parts regarding lispy:
https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf
Also check out this:
https://splunkbase.splunk.com/app/2871/

If the field guid is an indexed field, then you can use this:

index=my_index guid::my_guid
0 Karma
Reply

tiagofbmm
Influencer
‎02-26-2019 05:51 AM

The second search is going directly for the index to look for your guid. The first one needs to match (don't know how many fields are you matching against the lookup) every event to the lookup before filtering, and that's where this questions come into place

Is that lookup CSV or KVStore based?

If it is KVStore, maybe you'd prefer it to be replicated to the Indexer layer for performance increase?

How frequently is that lookup updated?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...