Splunk Search

Indexer performance hit, for searches with no results

jdunlea_splunk
Splunk Employee
Splunk Employee

I have a search like the following:

"index=index_A | "

If i distribute this to an indexer which does NOT have an index called index_A, what will be the performance issue with this? Will there be a significant/negligible hit on the indexer performance?

I ask, because what If I distributed 10,000 searches like this to an indexer, where only 100 out of the 10,000 would actually find the index they are looking for? - Would I still lock up the indexer from a performance point of view, even though 9,900 of the 10,000 searches cannot even find the index they are looking for on the indexer?

Any help here is appreciated!

John

0 Karma

woodcock
Esteemed Legend

Performance hit of the search is negligible because there will be no index on the indexer so the very first thing that is checked ( indexes.conf ) will fail. Such an approach should be fine from this aspect.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...