Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where does a search process consume its run time?

rettops
Path Finder
‎08-16-2013 02:21 PM

We have performance problems. Looking at one of the search logs, I see that it ends with

08-16-2013 14:00:55.172 INFO  NewTransam - Finalizing. Committing all open txns withheld
08-16-2013 14:01:26.542 INFO  NewTransam - evicted=0, closed=554, event_count=163158, candidate_events=162604, comparison_count=974503
08-16-2013 14:01:26.542 INFO  NewTransam - Finalizing/previewing. Committing all open txns withheld
08-16-2013 14:01:26.547 INFO  NewTransam - evicted=0, closed=554, event_count=163158, candidate_events=162604, comparison_count=974503
08-16-2013 14:01:26.555 INFO  NewTransam - Finalizing/previewing. Committing all open txns withheld
08-16-2013 14:11:27.427 INFO  NewTransam - evicted=0, closed=8, event_count=554, candidate_events=546, comparison_count=670
08-16-2013 14:11:35.686 INFO  script - Invoked script vgformatmaintable with 71613951 input bytes (8 events).  Returned 496 output bytes in 1049 ms.
08-16-2013 14:11:35.692 INFO  UserManager - Unwound user context: spotter -> NULL
08-16-2013 14:11:35.694 INFO  UserManager - Setting user context: spotter
08-16-2013 14:11:35.694 INFO  UserManager - Done setting user context: NULL -> spotter
08-16-2013 14:11:35.694 INFO  UserManager - Unwound user context: spotter -> NULL
08-16-2013 14:11:35.694 INFO  DispatchCommand - DispatchManager::dispatchHasFinished(id='1376686831.442', username='spotter')
08-16-2013 14:11:35.830 INFO  UserManager - Unwound user context: spotter -> NULL

Notice the jump from 14:01 to 14:11, when it is supposedly "Finalizing/previewing". What is it actually doing during those ten minutes? Any suggestions for debugging this?

UPDATE: I just attached to the search process with 'strace'. For 10 minutes the only system calls the process made were 'madvise MADV_DONTNEED' and 'mmap'.

Reply

hexx
Splunk Employee
Splunk Employee
‎08-16-2013 03:39 PM

I would recommend that you run the search again and look at the search job inspector in order to see a break down of how the search process uses its run time.

Reply

rettops
Path Finder
‎08-16-2013 04:48 PM

The job inspector break down accounts for ~60 seconds of the 660 seconds elapsed time. We're still missing 10 minutes.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...