Large searches show status of Running(100%) for 3 ...

raziasaduddin · ‎07-16-2013

Some of my large searches show a status of "Running(100%)" for 3 hours. My latest, for example, has 97 million events and takes 3GB on disk. Why is it in the running(100%) status for so long? Can I speed this up?

Example Search:
index=test sourcetype=test (host=A OR host=B OR host=C OR host=D OR host=E OR host=F OR host=G ) | fields _raw | table _raw | outputcsv test.csv

lguinn2 · ‎07-16-2013

If you are running this via the Splunk GUI (eg, not a scheduled search) then make sure that you have set the Mode in the upper right corner to "Fast." This will help, but maybe not much.

Second, when one of these searches completes, check out the Search Job Inspector - it is represented by a blue box containing an "i". The inspector contains a lot of information about how your search ran. This will tell you where most of the time was spent. Of course, you may want to ask follow-up questions about what some of those statistics mean!

In fast mode, you can eliminate the | fields _raw portion of the command.

To make better suggestions, we really need more information:

How many events is Splunk searching? You said the search returns 97 million, but how many events did Splunk search to find that?
Why are you writing 97 million events to disk as a csv file? There may be better ways to do this.

bmacias84 · ‎07-16-2013

Do u need _raw? what is the goal of your search?

Large searches show status of Running(100%) for 3 hours

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk