Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fieldpicker is killing me

vbumgarn
Path Finder
‎12-16-2010 11:30 PM

When using distributed search across a number of hosts, the difference in performance between flashtimeline and advanced charting can be astounding. I understand this is because fieldpicker currently pulls all data back to the search head, simply to calculate the top values in the fieldpicker.

I've made a copy of flashtimeline and replaced the fieldpicker module with GenericHeader, but that doesn't quite seem to work. I see the label I added to GenericHeader, and then after the results are complete, it draws the fieldpicker, but only with the default six fields, which is kind of interesting, but not terribly useful. It'd be better to just see nothing, or even better for the fieldpicker to just be gone.

The performance seems better, anyway.

Is this the best thing to do?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎12-17-2010 10:43 PM

See the "UI Examples for 4.1" app on splunkbase which has a whole section on "Affecting Search Performance" which you will find very illuminating.

To your specific confusion, the FieldPicker module is really just the little link that says 'pick fields', as well as its accompanying gigantic popup.

The modules that are often conflated with the FieldPicker are the other modules that live in the sidebar panel -- MultiFieldViewer and SuggestedFieldViewer. That's why what you think of as the field picker is still there.

Indeed, when certain modules like MultiFieldViewer and FieldPicker are present, the UI framework sends a required_field_list argument to splunkd when searches get dispatched.

When the FieldPicker is downstream from the dispatch point, that argument is required_field_list=. And I believe that MultiFieldViewer module will also send requiredFieldList= if the FieldPicker is absent.

This argument value tells splunkd not to try and optimize field handling, because the UI on the page needs all the fields to come down.

1) One thing that is commonly done is replacing the FieldPicker with HiddenFieldPicker, and then hardcoded only the fields that you want. Go to en-US/modules in your splunk instance to read docs about HiddenFieldPicker.

2) Remove all of the modules that are in the sidebar. This will make your search run with status_buckets=1 and no requiredFieldList argument. (the UI Examples app will help you understand what the heck im talking about)

As to the technical reason why there's such a huge difference in performance in distributed search, is that when you're running with required_field_list=*, the remote search peers basically have to send every single event over the wire to the distributing instance. When you let splunk optimize the field handling and summarization it has to do a lot less work.

View solution in original post

Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎01-19-2011 06:28 PM

you could always just specify "| fields < all the fields that you want, comma separated >"

0 Karma
Reply
Solved! Jump to solution

carasso
Splunk Employee
Splunk Employee
‎01-05-2011 06:14 PM

In 4.2, there is a slide controller on the Fields Picker that turns off the expensive field discovery.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎12-17-2010 10:43 PM

See the "UI Examples for 4.1" app on splunkbase which has a whole section on "Affecting Search Performance" which you will find very illuminating.

To your specific confusion, the FieldPicker module is really just the little link that says 'pick fields', as well as its accompanying gigantic popup.

The modules that are often conflated with the FieldPicker are the other modules that live in the sidebar panel -- MultiFieldViewer and SuggestedFieldViewer. That's why what you think of as the field picker is still there.

Indeed, when certain modules like MultiFieldViewer and FieldPicker are present, the UI framework sends a required_field_list argument to splunkd when searches get dispatched.

When the FieldPicker is downstream from the dispatch point, that argument is required_field_list=. And I believe that MultiFieldViewer module will also send requiredFieldList= if the FieldPicker is absent.

This argument value tells splunkd not to try and optimize field handling, because the UI on the page needs all the fields to come down.

1) One thing that is commonly done is replacing the FieldPicker with HiddenFieldPicker, and then hardcoded only the fields that you want. Go to en-US/modules in your splunk instance to read docs about HiddenFieldPicker.

2) Remove all of the modules that are in the sidebar. This will make your search run with status_buckets=1 and no requiredFieldList argument. (the UI Examples app will help you understand what the heck im talking about)

As to the technical reason why there's such a huge difference in performance in distributed search, is that when you're running with required_field_list=*, the remote search peers basically have to send every single event over the wire to the distributing instance. When you let splunk optimize the field handling and summarization it has to do a lot less work.

Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...