Splunk Search

Why are searches using certain fieldnames so slow?

Path Finder

In most cases, I don't notice a huge difference when I specify a fieldname or do a free text search, but for some fields it is literally 260 times slower.

Are searches using fieldnames supposed to be slower than free text?
What is it about these particular fields that make it unbearably slow?

For instance:
index=main myusername
This search has completed and has returned 1,774 results by scanning 1,774 events in 2.65 seconds

index=main user=myusername
This search has completed and has returned 1,774 results by scanning 40,885,115 events in 689.411 seconds

Tags (4)
0 Karma

Super Champion

Good question
In Search index=main myusername, You are searching for string of "myusername" and it is blazingly fast in Splunk.

But in search index=main user=myusername . you are searching for a key-value field. Splunk doesn't now if that's raw data, or evaluated field. So it has use the TA's , props/transforms/eventypes or enriched fields kinda.

Some good tips which I do are
=> If you are sure, that the keyword is present in raw data then do index=main myusername user=myusername
=> Use TERM if you know the key-value pair is present in the raw data
=> if its an index field, you could use double colon (::) for key-value pair

0 Karma

Path Finder

Let me ask a slightly different question. In general, is it going to be faster using a string search compared to a field search?

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...