Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk search used to run fast now its taking forever

aaronkorn
Splunk Employee
Splunk Employee
‎04-10-2013 07:48 AM

One of our Splunk searches that just searches for all events in an index for the last 24hrs used to be blazingly fast now its taking up to 10 min to retrieve the data. What can be done to troubleshoot? We received a message yesterday noting that field extractions were taking unusually long. Any ideas? Thanks!

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎04-10-2013 08:29 AM

one thing you could do is install the Splunk on Splunk app, it was created by Splunk's Suport team to help them troubleshoot user issues:
http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk

you could also review the search in the Search Job Inspector:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/UsingtheSearchJobInspector

in particular, you can see what parts of the search are taking the most resources:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/UsingtheSearchJobInspector#Execution_costs

however, if the search hasn't changed, it's probable that the bottleneck is elsewhere in the system--i'm betting SoS can help.

Reply

piebob
Splunk Employee
Splunk Employee
‎04-12-2013 11:51 AM

i recommend asking this as a separate question--i don't know the answer, and the question is sorta buried down here 🙂

0 Karma
Reply

aaronkorn
Splunk Employee
Splunk Employee
‎04-11-2013 12:55 PM

Looks like I found the issue. This one log was dumping in hundreds of exception messages that were exceeding 200+ lines. Is there a way to tell splunk to only look at the first so many lines of a message when pulling it in? IE look at an event and only pull in the first 50 lines or so?

0 Karma
Reply

aaronkorn
Splunk Employee
Splunk Employee
‎04-10-2013 08:56 AM

Thanks for the feedback. We do have the SoS app installed but I couldnt notice any blaring errors in the logs. By looking at the inspector I see that much of the time spent on the command.search, command.search.kv, dispatch.fetch, and dispatch.stream.remote.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...