Splunk Search

Ideas on a timechart with large volume

subtrakt
Contributor

Hi!
I have a timechart that run every ten minutes but the event volume is very high and sometimes the query won't complete in 10 minutes. The query is using an index also.

I'm open to any options. I just need to know percentage from about 6 different sources of traffic defined in a lookup "NAME" field.

Can timecharts rollover? I would think the chart could run a search once then constantly rollover into itself every 10 minutes instead of re-running the entire search again.

... | timechart span="2m" count by NAME

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

Check if you cannot optimize your lookup to happen after the timechart, instead of before. To avoid doing it for each event.

mysearch | bucket _time span=2m | stats count by fieldA _time | LOOKUP mylookup fieldA OUTPUT fieldB | timechart span=2m count by fieldB

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That search looks very accelerate-able, try checking the Report Acceleration box.

0 Karma

subtrakt
Contributor

index=eAGG* sourcetype="AGG" SRC_CATEGORY="Aggregation" | timechart span="2m" count by SRC_NAME limit=12 useother=f

the scheduled search is set to delete saved search after 10 minutes because i figured it would fill up the splunk drive with tons of saved searches that are executed every 10 mins.

0 Karma

Ayn
Legend

This sounds like a good way to keep Splunk way too busy with rereading huge amounts of data over and over again. You should consider doing some kind of acceleration or summary indexing. Tell us more about your scenario, your data and your exact query and I'm sure we can come up with some good options.

0 Karma

subtrakt
Contributor

2 hour earliest search that is scheduled to run every 10 minutes.

0 Karma

MuS
SplunkTrust
SplunkTrust

I assume you only search the last 10 minutes if your run your timechart search at this interval? like:

you base search earliest=-10m | ...
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...