Splunk Search

What is "batch mode" search?

a212830
Champion

Hi,

I'm testing out some features in 6.3, and looking at increasing our search and index throughput. One of the settings in the doc is "batch_search_max_pipeline", and the doc says:

"Customers leveraging batch mode search parallelization can see a doubling of speed in returning batch mode search results."

What is meant by "batch mode"? An interactive search? A scheduled search? Both? Neither?

Tags (3)
1 Solution

hortonew
Builder

a212830
Champion

It doesn't. Already read that doc - doesn't state what they mean by this term, and it's the first time that I've ever heard "batch_mode" used with Splunk.

0 Karma

a212830
Champion

Perfect! Thanks.

0 Karma

burwell
SplunkTrust
SplunkTrust

This manual entry is a good start but I don't understand what truly makes a search qualify as a batchmode search. Could we have examples that show searches that ARE batchmode searches and ones that are not?

0 Karma

bhavinthaker
Engager

From the links already shared above:

Think of a Batch mode search as a search that does NOT require searching on time-ordered events, for example, a search that uses the "stats" command which calculates aggregate statistics, such as average, count, and sum, over the results set. Other examples are searches that use transforming commands like chart, timechart, stats, top, rare, contingency, and highlight, which transform search result data into the data structures required for visualizations such as column, bar, line, area, and pie charts.

Requirements for batch mode search:

Transforming searches that meet the following conditions can run in batch mode.
* The searches need to use generating commands like search, loadjob, datamodel, pivot, or dbinspect.
* The search can include transforming commands, like stats, chart, and so on. However the search cannot include commands like localize and transaction.
* If the search is not distributed, it cannot use commands that require time-ordered events, like streamstats, head, and tail.

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...