Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should you specify or not specify the index in your search?

sjaworski
Communicator
‎07-29-2016 07:44 AM

What are everyone's thoughts on whether you should or should not specify the index in your search? Is sourcetype=value sufficient to reduce which indexes Splunk will search? Or will all indexes based on your role configuration still be searched even if sourcetype=value only exists in one index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2016 07:52 AM

I believe in specifying what you know up front. The more specific your search, the less Splunk has to read and the better it performs.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎07-29-2016 08:08 AM

I agree with richgalloway. You want to limit the data your search will operate on. Two of the best ways to do that are (1) narrow your time range and (2) partition your data into separate indexes, then search only the relevant index. You always want to search as specifically as you can. See Quick tips for optimization and Write better searches in the Search Manual for more information.

Reply
Solved! Jump to solution

sjaworski
Communicator
‎07-29-2016 08:51 AM

Thanks for the links ChrisG[Splunk]

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2016 07:52 AM

I believe in specifying what you know up front. The more specific your search, the less Splunk has to read and the better it performs.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sjaworski
Communicator
‎07-29-2016 08:50 AM

When I think in terms of flexibility and time, there may be a need in the future to change an index name. There could be a multitude of reasons to justify the change. A new index name better describes what data is contained in the index, someone does not like the name of the index, a new app uses different indexes, or the we will fix it before production mentality. Of course hindsight is 20/20 and there could always be better planning.

Easily after a year there could be hundreds of saved searches/dashboards/etc for a specific index. The Splunk admin would then need to go into each search and change the index name. After thinking about it now, I could also use a search macro and instruct people to use the macro to call the index. Then in the future if an index ever changes, I would just have update the macro to reflect the new index.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2016 09:39 AM

I've seen apps use macros to specify index names. They shoot themselves in the foot by calling the macro "use_index_foo", but at least they're trying.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...