Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

slow splunk seaches

gauravmsharma
Path Finder
‎10-06-2020 03:27 AM

A simple search(index="xx" source="/aa/bb/cc.log") made on my searchead takes 4 minutes to display 7.5 millon events for past 4 hours. This seems to be a very slow performance. My architecture contains 2 peer nodes and a master plus searchead which are dedicated machines. 

More complex searches with regex takes enormous time. Where do i start troubleshooting this slowness.

Does inceasing IOPS for hot db (/var/opt/splunk/db) on my peer nodes, will have a postive effect on my perfomance or any other things to check on this.

Labels (1)
Labels
0 Karma
Reply

leonard_dupray
New Member
‎10-06-2020 04:10 AM

How many diff apps do you have installed on your search head?

0 Karma
Reply

gauravmsharma
Path Finder
‎10-06-2020 04:29 AM

8 apps

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2020 03:35 AM

Hi @gauravmsharma 

iops improvement is good.. also, generally improving search speed is a complex task, requires lot of analysis... 

https://conf.splunk.com/files/2017/slides/speed-up-your-searches.pdf

https://docs.splunk.com/Documentation/Splunk/8.0.6/Search/Writebettersearches

https://docs.splunk.com/Documentation/Splunk/8.0.6/Search/Quicktipsforoptimization

 

the summary indexing, data model acceleration ideas will improve search performance good. 

 

(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...