Hi,
I have a dashboard with search queries which take tens of seconds to run. The results are displayed as charts, and they tend to come in random order (i.e. we see the line grow randomly across the X axis). Yet what I tend to worry the most about are the most recent days.
I was wondering if there was a way to give a hint to Slunk to specify that I am more interested in seeing the latest results first?
I understand this may not be in a strict order given the map-reduce, but if say each indexer returned the results in that order it would already be helpful.
Thx,
Thibault.
Splunk has two search modes, returning data in reverse time order or batch mode without that ordering. See http://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Configurebatchmodesearch for some background info. Whenever Splunk can use batch mode (e.g. counting events, time order doesn't matter), performance will improve.
You could turn batch mode off (see docs link) to always get reverse time order, but I'd rather recommend improving the searches powering your charts.
from a similar post -
Splunk starts to search events at the current time, and progressively search backward in the past.
first() returns the first seen result -> the most recent reference
last() returns the last seen result - > the oldest reference
documentation -
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions
Splunk is a reverse time-series index, so while it might be confusing, it is technically correct. The results of a Splunk search are ordered by default from most recent to least recent.
if you give us the queries you use and the timeline, we can do some troubleshooting.
Please do not link to 4.3.1 documentation, that version had its end of life many years ago. Many concepts were added since then, e.g. batch mode search.
If anyone's still using 4.3.1, please upgrade.
Here is the current doc link: http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/CommonStatsFunctions
So from what you say it should do what I would like out of the box, i.e. starts from the latest event and gradually go further back in time?
An example of a query is:
earliest=-14d@d latest=@d index=license_summary source=License_Accounting host=XYZ | eval GB=bytes/1024/1024/1024 | timechart span=1d eval(round(sum(GB),0)) by pool
The strange thing is that when I just ran this again, and the result from 2 weeks ago was one of the first to come back.
Have you considered datamodel acceleration to just make things run fast enough to not care about ordering?