Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is parsing taking so long even with basic searches and filters?

rdschmidt
Explorer
‎07-31-2014 12:12 PM

I am having an issue with our Splunk Server. Every search you run, no matter all the filters, or if you create it basic, the search will say "Parsing" for almost 100 - 120 seconds before it searches. Sometimes if i search a block of records for 7 days and it contains 300,000 records it will parse for 120 seconds and the search will only take 80 seconds.

I have this running on a Virtual Machine that has 8 CPU and 16 GB of RAM dedicated. I cant find that this is a CPU or Memory Issue.

Any Help would be greatly Appreciated.

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

cheinlein
Engager
‎02-13-2015 02:56 PM

Found that we needed a bigger more distributed environment. We are using Amazon Web Services and initially went to a larger EC2 unit. We also went with a CPU optimized configuration, we had been using a memory optimized unit. Still not the performance we wanted so we broke up our environment into a forwarder, 2 indexers and 1 large search head. We get awesome performance now.

View solution in original post

Reply
Solved! Jump to solution

matthieu_araman
Communicator
‎06-10-2015 05:00 AM

I've got the same pb here.
10 minutes delay during parsing phase for any schedule or adhoc search (except if it's directly |), even when it should be low hour usage.
the server is loaded and does too much things but this doesn't explain the behaviour and what I should monitor.
splunk version is 6.2.2 , linux 64 bit, 8 core
this looks to me like there's some queue limit somewhere.
Any idea where to look for ? (every search included on splunk logs is delayed so it's slow to debug...)

0 Karma
Reply
Solved! Jump to solution
Solution

cheinlein
Engager
‎02-13-2015 02:56 PM

Found that we needed a bigger more distributed environment. We are using Amazon Web Services and initially went to a larger EC2 unit. We also went with a CPU optimized configuration, we had been using a memory optimized unit. Still not the performance we wanted so we broke up our environment into a forwarder, 2 indexers and 1 large search head. We get awesome performance now.

Reply
Solved! Jump to solution

aalanisr26
Path Finder
‎02-13-2015 02:41 PM

did you find an answer for this? we are experiencing the same problem,deja vu... did you find a solution? we are seeing the same thing

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎08-04-2014 11:16 AM

64 bit, I assume? How many IOPS on this machine? Have you looked at the Search Job Inspector, which will give you better information about this particular job? Have you looked at the Splunk _internal index for warnings or errors that might indicate performance bottlenecks?

0 Karma
Reply
Solved! Jump to solution

rdschmidt
Explorer
‎08-04-2014 06:58 AM

Linux CentOS

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎07-31-2014 02:43 PM

I'd open a support ticket. What OS are you running?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top