×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
zaks191
New Member
Member since: ‎07-19-2025
‎07-20-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-19-2025
View All

How to Optimize Search Performance for Large-Scale...

by in Getting Data In
‎07-19-2025 10:57 PM
‎07-19-2025 10:57 PM
Hi Splunk Community, I'm new to Splunk and working on a deployment where we index large volumes of data (approximately 500GB/day) across multiple sources, including server logs and application metrics. I've noticed that some of our searches are running slowly, especially when querying over longer time ranges (e.g., 7 days or more). Here’s what I’ve tried so far: Used summary indexing for some repetitive searches. Limited the fields in searches using fields command. Ensured searches are using indexed fields where possible. However, performance is still not ideal, and I’m looking for advice on: Best practices for optimizing search performance in Splunk for large datasets. How to effectively use data models or accelerated reports to improve query speed. Any configuration settings (e.g., in limits.conf) that could help. My setup: Splunk Enterprise 9.2.1 Distributed deployment with 1 search head and 3 indexers Data is primarily structured logs in JSON format Any tips, configuration recommendations, or resources would be greatly appreciated! Thanks in advance for your help. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-20-2025 04:39 AM