Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index based on Raw Data?

Cuyose
Builder
‎05-25-2012 09:51 AM

I run a python script to get data into an indexer from mdb files, this basically creates events with source, host, sourcetype and raw data. We are almost always concerned with only reporting on the raw data. millions of rows are generated in csv format and I have created custom fields within the raw data with splunk having no problem identifying those.

The issue is doing a search to find 2 distinct values in those 12 million + rows takes forever, it parses all 12 million rows before returning the values.

Tags (2)
0 Karma
Reply

Cuyose
Builder
‎05-29-2012 11:15 AM

index = perfdata | dedup LR_Run_Name

Where LR_Run_Name is in the raw data and we extracted the field value. I checked the fields.conf and there are no indexed values in there on these fields we extracted, they all look like this

Out of millions of rows there are only a handful of unique values in the indexed raw data.

[sourcetype]
INDEXED = True
INDEXED_VALUE = False

Would I add something like?
[LR_Run_Name]
INDEXED = True
INDEXED_VALUE = False

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎05-25-2012 10:11 PM

Can you paste the exact search you're using?

In a nutshell, if Splunk is having to read all the data off disk, then the most likely reason is that your searchterms are either not in the initial search clause... ie you're doing something like 

`sourcetype=foo | <some other command(s)> | search <searchterms>`

Then there are a lot of other strange possibilities, like, to take a random example, you could have a foo="bar" term, and you could have it in the initial search clause, but then for some reason something could have configured INDEXED_VALUE in fields.conf to be false for that field.

In any event, without seeing the search it's hard to speculate on the answer, but there most likely is an answer, and it's probably fixable.

0 Karma
Reply

Supriya
Path Finder
‎08-24-2020 05:00 AM

Could you please help me out how to search multiple words from raw data

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎05-25-2012 11:12 AM

What is the keyword you are searching and exact query? How often does it exist in the raw data?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...