Splunk Search

Why search Takes more time?

Bhagyashri
Explorer

I searched for sourcetype=java "xyz" it just returns 202 events and scanned events are 12452, it takes 8 minutes for the search. why so much time it is taking?
My system configuration- Single instance machine with 4 core @3.3 GHz, 16 GB RAM and 64 bit OS.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Here's some places to start reading to find out about Splunk and search performance. Reading indexed disk on data is I/o intensive and bound by that.. So having 7200rpm+ disks (SSD or 15krpm) is recommended. Dont do virtual disks and expect good performance.

http://docs.splunk.com/Documentation/Splunk/latest/Search/Writebettersearches
http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What kind of data source is it? Sourcetype? Do you have extractions running? What does your search look like? Are you running other things on the machine? What does job inspector say?

0 Karma

Bhagyashri
Explorer

Actually it is text kind of file and i have given custom sourcetype as java. No it dont have extractions runing. Search running in smart mode. Nothing is running on machine. Not even monitoring of file, just doing search.
Job inspector shows:
Command. Search takes more time , in that command.search.filter 285 sec
Command.search.rawdata 200 sec
Dispatch.fetch 1072 sec
Dispatch.localsearch n dispatch.stream.local also taking more time
My search query is
Sourcetype=java "w(0×40D9)" | fields + source | fields - _raw, _time

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Dispatch.fetch is taking a long time to run. So this is most likely related to slow disks. Search is disk intensive in most cases.

0 Karma

Bhagyashri
Explorer

But in splunk document they mentioned that search related to cpu.. 1 cpu per search..
What kid of disk should be used for search performance?

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...