Splunk Search

Tstat search taking a long time - "IO" "CPU" and "Disk Access" all very low - What can i do?

Motivator

HI

I am running a BIG TSTAT search off a Datamodel - The bottle neck is dispatch.stream.local + dispatch.fetch (I have been told this is IO). However when i look at the IO[15%], CPU[30%] and disk[10%] Access its all low, so what can i change to make it faster?
I cant really change the search.

I have one machine running one indexer and one search head.
IF the answer is to add more indexers, then how does that work, will the Datamodel not be over 2 Indexers if so what configuration do i need to the indexers, Cluster , replication etc..

Cheers in advance
Rob

alt text

Screen reader users, click here to skip the navigation bar
Search job inspector
This search is still running and is approximately 100% complete.

(SID: adminadmin_bXVyZXhfbWxjbaseSearch_1541497799.72679) search.log

Execution costs
Duration (seconds) Component Invocations Input count Output count
32.84 .executeinput.flushprestats 42 6,071,708 6,071,708
266.90 command.tstats 320 6,463,345 6,463,345
194.78 command.tstats.querytsidx 120 - -
72.07 command.tstats.execute
input 160 6,463,345 -
0.02 dispatch.checkdiskusage 16 - -
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate 1 - -
0.01 dispatch.evaluate.rename 8 - -
0.00 dispatch.evaluate.eval 1 - -
0.00 dispatch.evaluate.tstats 1 - -
0.00 dispatch.evaluate.noop 1 - -
118.87 dispatch.fetch 160 - -
0.00 dispatch.optimize.FinalEval 1 - -
0.02 dispatch.optimize.matchReportAcceleration 1 - -
0.00 dispatch.optimize.optimization 1 - -
0.00 dispatch.optimize.reparse 1 - -
0.00 dispatch.optimize.toJson 1 - -
0.00 dispatch.optimize.toSpl 1 - -
59.01 dispatch.preview 1 - -
29.54 dispatch.preview.tstats.executeoutput 1 - -
22.71 dispatch.preview.command.rename 8 3,089,376 3,089,376
3.70 dispatch.preview.command.eval 1 386,172 386,172
2.95 dispatch.preview.write
resultstodisk 1 - -
194.83 dispatch.stream.local 160 - -
0.10 dispatch.writeStatus 67 - -
0.14 startup.configuration 1 - -
0.00 startup.handoff 1 - -
Search job properties
Server info: Splunk 7.0.3, splunk:8000, Tue Nov 06 10:00:56 2018 User: admin

0 Karma

Champion

Is the data model speeded up?
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels

For data not summarized as TSIDX data, a complete search operation is used for the original index data.

0 Karma

Motivator

Thanks for the replay, but yes it is accelerated

0 Karma

Champion

Is there a hint on this blog?

https://helgeklein.com/blog/tag/acceleration/

0 Karma