Splunk Search

Why are some undefined field searches faster than searches where you define the field and value you are looking for?

packet_hunter
Contributor

So I noticed that when I run two searches like the following and I am looking for a value, in this case some computer name..

index = indexA  sourcetype=sourcetypeA  "ComputerName"

index = indexA  sourcetype=sourcetypeA  dvc = ComputerName 

sometimes the search with the undefined field is faster...

I would think that search time would be faster if you provide more specific details that could be seen in the bloom filters which would speed up the search in general. I am thinking that if the field dvc is not define the search defaults to looking at the raw data.

Can anyone explain what is happening here...

Thank you

Tags (3)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Try this and see if it beats them both...

index = indexA  sourcetype=sourcetypeA  "ComputerName" dvc=ComputerName

It is not immediately obvious to me that a bloom filter would always be used if a field name and value is provided. If the above is faster than both the others, then each is having a limiting/accelerating factor.

If the field dvc is not an indexed field, then the field must be extracted at search time before comparison...

Another data question that I'd have if trying to investigate this, is whether your ComputerNames are all word characters, or whether they may be perceived by splunk as multiple tokens - "my_computer_name_is_five_words_long_and_lies_to_people" - which could affect performance.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Try this and see if it beats them both...

index = indexA  sourcetype=sourcetypeA  "ComputerName" dvc=ComputerName

It is not immediately obvious to me that a bloom filter would always be used if a field name and value is provided. If the above is faster than both the others, then each is having a limiting/accelerating factor.

If the field dvc is not an indexed field, then the field must be extracted at search time before comparison...

Another data question that I'd have if trying to investigate this, is whether your ComputerNames are all word characters, or whether they may be perceived by splunk as multiple tokens - "my_computer_name_is_five_words_long_and_lies_to_people" - which could affect performance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...