Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Significant performance differences running same query against different indexes

awmorris
Path Finder
‎10-08-2016 08:24 PM

I performed the exact same search (index=|head 2000000|stats count) on the same indexer against THREE different indexes: fictionaldata, main, udp_syslog

The results were:
fictionaldata: 3.444 seconds
main: 70.491 seconds
udp_syslog: 3.852 seconds

What is going on with main? How can i troubleshoot the performance difference where the primary difference is the target index?

It is probably worth disclosing that main is larger than the other 2 indexes: 8GB vs 500MB- but all have > 2,000,000 rows.

I should also disclose that main has many more field extractions defined... but a 20x performance difference is simply shocking!

Splunk Enterprise Server 6.5.0
Linux, 12 GB RAM, 6 CPU Cores

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-11-2016 03:39 PM

Because index=main is a default dumpingground for when you don't specify an index, if your admin is doing his job correctly, it should have VERY few events coming into it. This means that you are going to have to dig into FAR more buckets and files to get 2000000 events. It looks like the events/bucket ratio is 20X less dense in main, than in the other indices. This makes sense to me. If you have to open 20 files to get 2000000 events (and each of those files requires uncompression) for index=udp_syslog but you have to open 2000000 files to get 2000000 for index=main, obviously it will take way longer. This does not even consider the fact that the older events in index=main are probably on slower storage, too.

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎10-09-2016 05:34 AM

Hi awmorris,

I think there are a couple of factors you might look at that may have peformance impacts:
- The number of sourcetypes and related search-time transformations: almost certainly the default index contains far more types of data that requires search-time operations than those in the other two indexes
- Storage location: Are the index paths of the three indexes all located on the same storage space?

- Time spans: See the earliest event returned by the search in these indexes - recent events are stored in hot and warm buckets but older ones are stored in cold buckets

Hope it helps. Thanks!
Hunter

0 Karma
Reply

javiergn
Super Champion
‎10-10-2016 01:07 AM

Also, if you want to compare apples with apples, you should try using metasearch:

| metasearch index=YOURINDEX | head 2000000 | stats count
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...