Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

slow splunk seaches

gauravmsharma
Path Finder
‎10-06-2020 03:27 AM

A simple search(index="xx" source="/aa/bb/cc.log") made on my searchead takes 4 minutes to display 7.5 millon events for past 4 hours. This seems to be a very slow performance. My architecture contains 2 peer nodes and a master plus searchead which are dedicated machines. 

More complex searches with regex takes enormous time. Where do i start troubleshooting this slowness.

Does inceasing IOPS for hot db (/var/opt/splunk/db) on my peer nodes, will have a postive effect on my perfomance or any other things to check on this.

Labels (1)
Labels
0 Karma
Reply

leonard_dupray
New Member
‎10-06-2020 04:10 AM

How many diff apps do you have installed on your search head?

0 Karma
Reply

gauravmsharma
Path Finder
‎10-06-2020 04:29 AM

8 apps

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2020 03:35 AM

Hi @gauravmsharma 

iops improvement is good.. also, generally improving search speed is a complex task, requires lot of analysis... 

https://conf.splunk.com/files/2017/slides/speed-up-your-searches.pdf

https://docs.splunk.com/Documentation/Splunk/8.0.6/Search/Writebettersearches

https://docs.splunk.com/Documentation/Splunk/8.0.6/Search/Quicktipsforoptimization

 

the summary indexing, data model acceleration ideas will improve search performance good. 

 

(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...