×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dalbreht
Observer
Member since: ‎06-12-2020
‎04-29-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-12-2020
Activity Feed
Topics I've Started
View All

Re: Slow search when using field "host"

by in Splunk Search
‎10-22-2021 05:29 AM
‎10-22-2021 05:29 AM
It is repeatable  and only manifests on this index when I use field "host". In all other cases searches run normally and "fast".   ... View more

Re: Slow search when using field "host"

by in Splunk Search
‎10-22-2021 05:19 AM
‎10-22-2021 05:19 AM
Adding side-by-side view of search performance   ... View more

Re: Slow search when using field "host"

by in Splunk Search
‎10-22-2021 04:55 AM
‎10-22-2021 04:55 AM
Haven't seen any events in search.log that would explain this behavior. No errors or warnings. Execution time analysis shows only longer times in "dispatch.stream.remote" section (fetching data from indexers). Data is equally balanced across cluster so it is not the issue of single node. ... View more

Slow search when using field "host"

by in Splunk Search
‎10-22-2021 04:30 AM
‎10-22-2021 04:30 AM
Hi everyone, I have strange Splunk behavior regarding one of the indexes but first a little bit of background: Environment is indexer cluster with 1 SH Proxy logs are getting ingested from syslog server via universal forwarder (monitor input) Monitor input uses host_segment option to extract host data Sourcetype is set to "cisco:wsa:squid" from splunkbase app "Splunk_TA_cisco-wsa". I'm not using any local configuration for that sourcetype (on any instance) There are no props.conf stanzas that apply configuration based on source or host (i.e. [host::something]) for this specific source or host The issue: When I'm using the search 1 (with field "host") in fast mode it is 10 to 20 times slower than using search 2. Search 1   index=my_index sourcetype=cisco:wsa:squid| fields _time, _indextime, source, sourcetype, host, index, splunk_server, _raw     Search 2   index=my_index sourcetype=cisco:wsa:squid| fields _time, _indextime, source, sourcetype, index, splunk_server, _raw   I have already reviewed full configuration an there is no configuration on any of the instances that is modifying field "host" in any way and when I use it in my search it is drastically slower which is causing issues further down the line. This issue does not manifest on other indexes. All indexes are configured with same options in indexes.conf Hope someone can give me a good clue for troubleshooting. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-29-2024 04:12 AM