All Apps and Add-ons

Cisco Ironport Series WSA - How to improve the performance of my search on internet time usage?

rafaelqueiroz
Explorer

I am using the following search to extract the time usage of the internet by user report:

index = "cisco_wsa" SourceType = "cisco_wsa_squid" | transaction user maxpause = 5m | stats sum (duration) the Duration by CN | sort -Duration | Lookup light_atributos_principais CN OUTPUT User, Company, CostCenter, DepartmentNumber, OR | Duration fieldformat tostring = (duration, "duration") | eval Superintendencia = substr (DepartmentNumber, 0, 2) | search DepartmentNumber = "LTO" | head 10 | sort -Duration | CN rename the Matricula, the Company Company CostCenter the "Cost Center" DepartmentNumber the Department, the OR Management | User table, Matricula, Company, Department, Management, "Cost Center" Superintendencia, Duration

The report is created without problems, but I cannot speed the same, and he acabanão generating the data altogether. what I should do to improve the performance of the report?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee
0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

See this answer on avoiding the usage of the transaction command. It is probably the reason your search is going slowly. Normally you could use report acceleration, but this is not a qualifying search because you don't use a transforming command.

See this page to learn more about how search types (dense, sparse, super-sparse, rare) affect search performance. Note the second two are I/O bound while the first two are CPU-bound.

Secondly, if you schedule this search to run, you can have results waiting for you when you load the report (from the last scheduled run's results). This way you don't have to wait for the search to complete in front of you but you still have at least some results. Obviously this is dependent on how often you need to access fresh data.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Open the job inspector, Job > Inspect Job. What is taking the longest ? What is your events scanned to results returned ratio ? Good search performance is around 10k - 20k events returned per second.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...