Splunk Search

Why does specifying indexed fields with "field"::"value" results in faster and more efficient searches?

kiril123
Path Finder

Write better searches Splunk manual contains the following recommendation:

Specify indexed fields with "field"::"value"
You can also run efficient searches for fields that have been indexed from structured data such as CSV files and JSON data sources. When you do this, replace the equal sign with double colons, like this: "field"::"value".

This is the link to the manual:

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/Writebettersearches

I have tried this recommendation myself and the searches indeed execute much faster.

My question is why specifying indexed fields with "field"::"value" instead of "field"="value" results in faster searches?
What exactly happens when the search is executed?

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

The fields that are accessed are those which have indexed fields, not search time field extractions. Those will be faster because your search only needs to look in the tsidx files, so they are faster. In your search, designating a match with :: will make it faster because it is an indication to the search processor that it will only have to go to the tsidx files to get those values, and not perform a more time consuming look into the data, doing search time field extractions.

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

The fields that are accessed are those which have indexed fields, not search time field extractions. Those will be faster because your search only needs to look in the tsidx files, so they are faster. In your search, designating a match with :: will make it faster because it is an indication to the search processor that it will only have to go to the tsidx files to get those values, and not perform a more time consuming look into the data, doing search time field extractions.

harshpatel
Contributor

Hi,
Any idea on from which splunk's version it is available?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@harshpatel

Maybe 6.3. I've concluded on the basis of documentation available for the different versions.

Check topic "Specify indexed fields with ::" in below documentation.

Splunk version 6.2.15 don't have it but found from 6.3.0 🙂

https://docs.splunk.com/Documentation/Splunk/6.2.15/Search/Writebettersearches

https://docs.splunk.com/Documentation/Splunk/6.3.0/Search/Writebettersearches

Happy Splunking

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...