Re: Why are searches using certain fieldnames so s...

john_byun · ‎05-24-2019

In most cases, I don't notice a huge difference when I specify a fieldname or do a free text search, but for some fields it is literally 260 times slower.

Are searches using fieldnames supposed to be slower than free text?
What is it about these particular fields that make it unbearably slow?

For instance:
index=main myusername
This search has completed and has returned 1,774 results by scanning 1,774 events in 2.65 seconds

index=main user=myusername
This search has completed and has returned 1,774 results by scanning 40,885,115 events in 689.411 seconds

koshyk · ‎05-24-2019

Good question
In Search index=main myusername, You are searching for string of "myusername" and it is blazingly fast in Splunk.

But in search index=main user=myusername . you are searching for a key-value field. Splunk doesn't now if that's raw data, or evaluated field. So it has use the TA's , props/transforms/eventypes or enriched fields kinda.

Some good tips which I do are
=> If you are sure, that the keyword is present in raw data then do index=main myusername user=myusername
=> Use TERM if you know the key-value pair is present in the raw data
=> if its an index field, you could use double colon (::) for key-value pair

john_byun · ‎05-29-2019

Let me ask a slightly different question. In general, is it going to be faster using a string search compared to a field search?

Why are searches using certain fieldnames so slow?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio