Some of my large searches show a status of "Running(100%)" for 3 hours. My latest, for example, has 97 million events and takes 3GB on disk. Why is it in the running(100%) status for so long? Can I speed this up?
Example Search:
index=test sourcetype=test (host=A OR host=B OR host=C OR host=D OR host=E OR host=F OR host=G ) | fields _raw | table _raw | outputcsv test.csv
If you are running this via the Splunk GUI (eg, not a scheduled search) then make sure that you have set the Mode in the upper right corner to "Fast." This will help, but maybe not much.
Second, when one of these searches completes, check out the Search Job Inspector - it is represented by a blue box containing an "i". The inspector contains a lot of information about how your search ran. This will tell you where most of the time was spent. Of course, you may want to ask follow-up questions about what some of those statistics mean!
In fast mode, you can eliminate the | fields _raw
portion of the command.
To make better suggestions, we really need more information:
Do u need _raw? what is the goal of your search?