Splunk Search

Speed up search using the following single index.

slgizmo
New Member

I am working on creation of a dash board that consists of the following search and it does function and return the information that I am needing. Further, I have this set for Month to date so I can see how many users per day are connecting to the system. However, the search is very slow and I would like to find a way to make this a little faster. Is there anything I can do to this search string?

index=xd sourcetype="xendesktop:7:session" |dedup UserName date_mday | stats count by date_mday

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

This is a prettier search string doing essentially the same thing:

index=xd sourcetype="xendesktop:7:session" | timechart span=1d dc(UserName)

However, the bulk of the work will be event retrieval and parsing - I guess, without seeing your job inspector there are only guesses.
To speeding that up your best approach is to filter more. Is there a "connection established" event that contains all you need? If so, search for just that.

Once all the regular speedup approaches are exhausted, this type of search suits data model acceleration very well.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi slgizmo,
did you explored Splunk acceleration (http://docs.splunk.com/Documentation/Hunk/6.4.7/Hunk/Workwithreportacceleration)?

I usually use tscollect:
- create a search with the fields you need index=xd sourcetype="xendesktop:7:session" | dedup UserName date_mday | table _time UserName
- add | tscollect namespace=<namespace>
- schedule this search
- create a search like the following | tstats count AS cnt FROM <namespace> GROUPBY UserName | timechart span=1d sum(cnt) by UserName

Bye.
Giuseppe

0 Karma

slgizmo
New Member

Martin,

Thanks I am looking into this now.

Gizmo

0 Karma

gcusello
SplunkTrust
SplunkTrust

If you're satisfied by this answer, please accept it.
Bye.
Giuseppe

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I highly recommend data model acceleration in favour of tscollect.

0 Karma

slgizmo
New Member

Martin,
As I am a newbie when it comes to this I am willing to try anything to learn more about it. Do you have a recommended link that I can read on how to set data modeling up?
Gizmo

0 Karma

slgizmo
New Member

Giuseppe,

So I am trying your solution and if I understand properly when I create the search and run it a new TSIDX is created and allows the follow-up search using | tstats . The following is what I have set

Saved Search to be ran once a day
index=xd sourcetype="xendesktop:7:session" | dedup UserName date_mday | table _time UserName | tscollect namespace=DailyUserUsage

This shows me 86 for the count and then if I run the following

| tstats count AS cnt FROM DailyUserUsage GROUPBY UserName | timechart span=1d sum(cnt) by UserName

I get nothing returned. Any idea why?

Gizmo

0 Karma

slgizmo
New Member

Giuseppe,
If I run the string prior to the tscollect I am seeing the events and Statistics. However, if I try to run | tstats I receive the following "Error in 'tstats' command: this command must be the first command of a search.

0 Karma

gcusello
SplunkTrust
SplunkTrust

run | tstats count AS cnt FROM DailyUserUsage GROUPBY UserName and see if you have results:
if there are results add _time after GROUPBY,
if you haven't results see if the search with tscollect gives results without tscollect.
Bye.
Giuseppe

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This is a prettier search string doing essentially the same thing:

index=xd sourcetype="xendesktop:7:session" | timechart span=1d dc(UserName)

However, the bulk of the work will be event retrieval and parsing - I guess, without seeing your job inspector there are only guesses.
To speeding that up your best approach is to filter more. Is there a "connection established" event that contains all you need? If so, search for just that.

Once all the regular speedup approaches are exhausted, this type of search suits data model acceleration very well.

0 Karma

slgizmo
New Member

Martin,

This does speed it up a little bit and is more condensed than what I have so thank you for this.

Scott

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...