Speed Splunking

Speed Splunking

These quick tips will let you get answers from Splunk faster.

Ready, Fire! Aim.

The biggest speed boost you can give yourself is to splunk first and ask questions later. Start with a broad search for the first term that comes to mind. Then use Ctrl-Alt-click (on Macs, cmd-option-click ) to filter out results you don't want. Use the same approach you do when Googling or when piping a file through longer and longer grep commands to filter it down to what you're looking for.

Hide Event Meta Data

Turn off the menu item Preferences -> Show event meta data for faster results if you don't need to see host, source, source type and event type information.

Use maxresults::

To control the length of a search (and hence its speed) add the maxresults:: modifer to specify the number of results after which it should finish.

Set a time range

Splunk partitions its indexes by timestamp both in memory and on disk. So the smaller the range between start and end times in a splunk of the same index, the smaller the amount of RAM or disk the server will need to read, and the faster it will finish. The minutesago:: , hoursago:: and daysago:: modifiers are quick ways to reduce the length of a search.

Hide events by time

The Events by Time chart takes extra time to load data from the server, and then more time to render it in your browser. To speed up searches, click Hide events by time to close the chart until you need it again.

Use related carefully

Most modifiers don't affect the time it takes to return results. But related:: requires the server to examine more complex data structures that can slow a search.

Turn off Full Segments

If you're Splunking long event lines, your browser may slow as you mouse over event segments because it can't keep up with highlighting requests. To speed up highlighting go to the Preferences menu at the top of the interface and choose Segment Selection -> Outer or Segment Selection -> Inner .

• Was this topic useful?
• Post a comment