Hello, I'm Splunk Newbie. This is a post that I found while looking for improvement of Splunk's search performance, but I'm asking you a question because it's a little confusing.   I referred to the two posts below. https://splunk.illinois.edu/splunk-at-illinois/using-splunk/searching-splunk/how-to-optimize-your-searches/ https://idelta.co.uk/3-easy-ways-to-speed-up-your-splunk-searches-and-why-they-help/     Question 1) - index=firewall_data 127.0.0.1 Or - index=firewall_data "127.0.0.1" If I search that, because of the internal segmentation process 127 127 1 127 0 1 Is it right to search by dividing it into three approach? Because of this, If I use index=firewall_data TERM (127.1.1.24), is it correct that the breaker is not used and it shows better performance? Question 2) index=firewall_data "127.0.0.1" has more resources if the assumptions in question 1 are correct The index= firewall_data TERM (127.1.1.24) should perform better, but when tested, it actually did the same. It says that the data I searched for and the resource (time) are all the same, why?   ... View more

Hello. I'm a Splunk newbie. There is confusion about setting up data model acceleration. According to the official documentation, if the data in your data model is out of date, Splunk will continuously delete it and keep the data in your data model up to date. So, for example, if you summarize a month's data model in 0 12 * * *cycles, 1. -30 to 0 days data summarized 2. Day after day 3. Data from day -29 to +1 is summarized. 4. -30 days data is deleted Is this process correct? If this process is correct, why is it being done this way? And, information summarized through data model acceleration Is there a way to keep them consecutively like a summary index without them being deleted? ... View more

Hello. I am a Splunk newbie. I have a question about the replication factor in searchhead clustering. Looking at the docs it says that search artifacts are only replicated for scheduled saved searches. https://docs.splunk.com/Documentation/Splunk/9.1.2/DistSearch/ChooseSHCreplicationfactor   I'm curious as to the reason and advantage of duplicating search artifacts only in this case. And, then, in the case of real-time search, is it correct that search artifacts are not replicated and only remain on the local server? In that case, in a clustering environment, member 2 should not be able to see the search results of member 1. But I can view it by using the loadjob command in member2. Then, wouldn’t it be possible to view real-time search artifacts as well? Thank you ... View more

 Hello. I have a question about the captain selection process. Let me ask you a question using the example below. 1. In a clustering of four searchheads, the captain goes down. 2. Among the remaining three, the search header whose timer expired earliest asks the remaining two to vote. 3. The remaining two cars vote for the search header whose timer ended early. 4. Although two votes were received, the captain election failed because three votes were required due to the majority rule. This is the process of captain selection in my opinion. However, when I practiced it myself, even if one of the four planes was down, another captain was automatically selected from the three remaining planes. How is this possible when there are not enough votes? ... View more

If I use the command ./splunk add monitor /var/log, -> /splunk/etc/apps/search/local/inputs.conf file will be modified. However, if I use the command ./splunk add forward-server a.a.a.a:9997, -> /splunk/etc/system/local/outputs.conf is modified.   Why are both the same cli tasks, but one modifies the file under the search app and the other modifies the system file? Even considering the priority of the conf configuration file, both are GLOBAL CONTEXT, so I think they should both be placed under the System folder.   My question may be inappropriate or may have some shortcomings. I would really appreciate your advice. ... View more

I have a question about studying multi-site clustering. In a multi-site clustering environment, search heads and peer nodes exist in one site, but only one manager node exists in a specific site. I wonder if there is a reason why there shouldn't be one manager node in each site. When I checked the official documentation, I saw a part that said that the manager node is not a member of any site. Therefore, for this reason (the manager node does not belong to any site), I wonder if there is only one manager node even in a multi-site clustering environment. This may not be an appropriate question. It's not enough, but if there are any mistakes, please point out. ... View more