Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[Performance] What does exactly an indexer and a search head during a search ?

olivier_ma
Explorer
‎05-09-2016 07:25 AM

Hello,

I currently meet some performance issue during my search (for instance, one of my search takes 75 hours with multiple sub-search for correlation). So I'm looking for some performance improvement.

That's why I try to find the exact task allocation between an indexer and a search head when we run a search on Splunk.
Let's take an example that can help you to explain me :
index=a field_1=b | eval field_2=lower(field_1) | lookup l_1 field_2 OUTPUT field_3

Also inline fields extraction is done on indexer side or search head ?

Thanks,

Tags (1)
0 Karma
Reply

jensonthottian
Contributor
‎05-09-2016 09:15 AM

I think a summary index would be a good idea to retrieve results faster.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Usesummaryindexing

This should help you.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...