Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why would a search from a datamodel take longer than same search against raw ?

jlyon_splunk
Splunk Employee
Splunk Employee
‎06-25-2015 12:44 PM

I performed this search:

| datamodel Authentication Autherntication search | search Authentication.src=xxx.yyy.com (over past 60 min)

the results took 6.26 min

the search against raw:

index=* xxx.yyy.com

and the same number of results only took 10 seconds to return...

Tags (3)
0 Karma
Reply

matthieu_araman
Communicator
‎06-25-2015 01:50 PM

I've experienced the same kind of behaviour.

in my opinion :
in the second case, splunk uses bloom filter -> matches only some buckets depending on your search -> can be very fast
in your dm case, splunk has to build the dm then filter
the build the dm will be for a lot of data -> rather slow. the filtering after is very fast.
but if you accelerate the dm, it could be faster than normal search

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...