Splunk Search

How to determine how long a search will run for?

bayman
Path Finder

I've been waiting for over an hour and my search is still running with over 50 million events so far. I'm tempted to just stop it but how do I know how many total events I have and when it should end?

Tags (2)
0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

To adonio's point, I would take a look at this to see if your search can be written more efficiently:

http://docs.splunk.com/Documentation/Splunk/6.6.0/Search/Writebettersearches

Selecting an appropriate time window is the first place you should start. Next, you should search by a specific index or indexes. This prevents Splunk from having to open up buckets of data that aren't even relevant to your search. Another tip would be to use host, source, or sourcetype early in your search. This is metadata that is added by Splunk on ingestion and can help make your searches more efficient.

These are all common things that people run into when searching, so apologies if you have already taken into account many of these things.

0 Karma

adonio
Ultra Champion

there are settings in limits.conf
splunk however highly reccomend not to touch those settings without PS help.
saying that, in the vast majority of the times i have seen such long searches, there is a better way to search.
show us the search and reveal the use case, and we shall make it performant or suggest another ways.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...