Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why search Takes more time?

Bhagyashri
Explorer
‎04-24-2016 11:32 PM

I searched for sourcetype=java "xyz" it just returns 202 events and scanned events are 12452, it takes 8 minutes for the search. why so much time it is taking?
My system configuration- Single instance machine with 4 core @3.3 GHz, 16 GB RAM and 64 bit OS.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-25-2016 06:28 AM

Here's some places to start reading to find out about Splunk and search performance. Reading indexed disk on data is I/o intensive and bound by that.. So having 7200rpm+ disks (SSD or 15krpm) is recommended. Dont do virtual disks and expect good performance.

http://docs.splunk.com/Documentation/Splunk/latest/Search/Writebettersearches
http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-25-2016 12:54 AM

What kind of data source is it? Sourcetype? Do you have extractions running? What does your search look like? Are you running other things on the machine? What does job inspector say?

0 Karma
Reply

Bhagyashri
Explorer
‎04-25-2016 01:34 AM

Actually it is text kind of file and i have given custom sourcetype as java. No it dont have extractions runing. Search running in smart mode. Nothing is running on machine. Not even monitoring of file, just doing search.
Job inspector shows:
Command. Search takes more time , in that command.search.filter 285 sec
Command.search.rawdata 200 sec
Dispatch.fetch 1072 sec
Dispatch.localsearch n dispatch.stream.local also taking more time
My search query is
Sourcetype=java "w(0×40D9)" | fields + source | fields - _raw, _time

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-25-2016 04:48 AM

Dispatch.fetch is taking a long time to run. So this is most likely related to slow disks. Search is disk intensive in most cases.

0 Karma
Reply

Bhagyashri
Explorer
‎04-25-2016 05:19 AM

But in splunk document they mentioned that search related to cpu.. 1 cpu per search..
What kid of disk should be used for search performance?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...