Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ideas on a timechart with large volume

subtrakt
Contributor
‎06-16-2014 06:03 AM

Hi!
I have a timechart that run every ten minutes but the event volume is very high and sometimes the query won't complete in 10 minutes. The query is using an index also.

I'm open to any options. I just need to know percentage from about 6 different sources of traffic defined in a lookup "NAME" field.

Can timecharts rollover? I would think the chart could run a search once then constantly rollover into itself every 10 minutes instead of re-running the entire search again.

... | timechart span="2m" count by NAME

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-16-2014 04:37 PM

Check if you cannot optimize your lookup to happen after the timechart, instead of before. To avoid doing it for each event.

mysearch | bucket _time span=2m | stats count by fieldA _time | LOOKUP mylookup fieldA OUTPUT fieldB | timechart span=2m count by fieldB

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-16-2014 11:33 AM

That search looks very accelerate-able, try checking the Report Acceleration box.

0 Karma
Reply

subtrakt
Contributor
‎06-16-2014 08:08 AM

index=eAGG* sourcetype="AGG" SRC_CATEGORY="Aggregation" | timechart span="2m" count by SRC_NAME limit=12 useother=f

the scheduled search is set to delete saved search after 10 minutes because i figured it would fill up the splunk drive with tons of saved searches that are executed every 10 mins.

0 Karma
Reply

Ayn
Legend
‎06-16-2014 06:57 AM

This sounds like a good way to keep Splunk way too busy with rereading huge amounts of data over and over again. You should consider doing some kind of acceleration or summary indexing. Tell us more about your scenario, your data and your exact query and I'm sure we can come up with some good options.

0 Karma
Reply

subtrakt
Contributor
‎06-16-2014 06:29 AM

2 hour earliest search that is scheduled to run every 10 minutes.

0 Karma
Reply

MuS
Legend
‎06-16-2014 06:09 AM

I assume you only search the last 10 minutes if your run your timechart search at this interval? like:

you base search earliest=-10m | ...
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...