How to determine how long a search will run for?

bayman · ‎05-18-2017

I've been waiting for over an hour and my search is still running with over 50 million events so far. I'm tempted to just stop it but how do I know how many total events I have and when it should end?

kmorris_splunk · ‎05-18-2017

To adonio's point, I would take a look at this to see if your search can be written more efficiently:

http://docs.splunk.com/Documentation/Splunk/6.6.0/Search/Writebettersearches

Selecting an appropriate time window is the first place you should start. Next, you should search by a specific index or indexes. This prevents Splunk from having to open up buckets of data that aren't even relevant to your search. Another tip would be to use host, source, or sourcetype early in your search. This is metadata that is added by Splunk on ingestion and can help make your searches more efficient.

These are all common things that people run into when searching, so apologies if you have already taken into account many of these things.

adonio · ‎05-18-2017

there are settings in limits.conf
splunk however highly reccomend not to touch those settings without PS help.
saying that, in the vast majority of the times i have seen such long searches, there is a better way to search.
show us the search and reveal the use case, and we shall make it performant or suggest another ways.

How to determine how long a search will run for?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life