Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Quick tips for optimization

The key to fast searching is to:

1. Limit the data that needs to be pulled off from disk to an absolute minimum.

2. Filter the data as early as possible in the search, so that processing is done on the minimum data necessary

Limit the data from disk

One of the most effective ways to limit the data that is pulled off from disk is to limit the time range to only what is absolutely needed.

For example -1h not -1w, or earliest=-1d.

Learn more about specifying time ranges in About time ranges.

Another way to limit the data that is pulled off from disk is to partition data into separate indexes. If you rarely search across more than one type of data at a time, partition your different types of data into separate indexes. Then restrict your searches to the specific index. For example, store Web access data in one index and firewall data in another. This is recommended for sparse data, which might otherwise be buried in a large volume of unrelated data.

Read more about "Ways to set up multiple indexes" in the Managing Indexers and Clusters of Indexers manual and how to "Retrieve events from indexes" in this manual.

  • Use Fast Mode to increase the speed of searches by reducing the event data that they return.
  • Search as specifically as you can. For example, fatal_error not *error*
  • Filter out results as soon as possible before calculations. Use field-value pairs, before the first pipe. For example, ERROR status=404 |… instead of ERROR | search status=404… Or use filtering commands such as where.
  • Filter out unnecessary fields as soon as possible in the search.
  • Postpone commands that process over the entire result set (non-streaming commands) as late as possible in your search. Some of these commands are: dedup, sort, and stats.
  • Use post-processing searches in dashboards.
  • Use summary indexing, report acceleration, and data model acceleration features.
PREVIOUS
About optimization
  NEXT
Write better searches

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters