Splunk Search

Why search Takes more time?

Bhagyashri
Explorer

I searched for sourcetype=java "xyz" it just returns 202 events and scanned events are 12452, it takes 8 minutes for the search. why so much time it is taking?
My system configuration- Single instance machine with 4 core @3.3 GHz, 16 GB RAM and 64 bit OS.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Here's some places to start reading to find out about Splunk and search performance. Reading indexed disk on data is I/o intensive and bound by that.. So having 7200rpm+ disks (SSD or 15krpm) is recommended. Dont do virtual disks and expect good performance.

http://docs.splunk.com/Documentation/Splunk/latest/Search/Writebettersearches
http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What kind of data source is it? Sourcetype? Do you have extractions running? What does your search look like? Are you running other things on the machine? What does job inspector say?

0 Karma

Bhagyashri
Explorer

Actually it is text kind of file and i have given custom sourcetype as java. No it dont have extractions runing. Search running in smart mode. Nothing is running on machine. Not even monitoring of file, just doing search.
Job inspector shows:
Command. Search takes more time , in that command.search.filter 285 sec
Command.search.rawdata 200 sec
Dispatch.fetch 1072 sec
Dispatch.localsearch n dispatch.stream.local also taking more time
My search query is
Sourcetype=java "w(0×40D9)" | fields + source | fields - _raw, _time

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Dispatch.fetch is taking a long time to run. So this is most likely related to slow disks. Search is disk intensive in most cases.

0 Karma

Bhagyashri
Explorer

But in splunk document they mentioned that search related to cpu.. 1 cpu per search..
What kid of disk should be used for search performance?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...