Splunk® Enterprise

Metrics

Download manual as PDF

Download topic as PDF

Best practices for metrics

The following are best practices when working with metrics in the Splunk platform:

Cardinality issues

Metrics search performance decreases as the cardinality of the metric time series stored in a given index and bucket increases. In other words, as the number of unique dimension sets in your metrics data increases, the speed of your metrics searches decreases. The following strategies can help you reduce the time series cardinality in your metrics indexes and buckets.

  • Remove unnecessary dimensions from your data. Focus on removing dimensions that have a wide range of unique values, like user IDs or phone numbers.
  • Use larger bucket sizes. This can help you reduce the overhead per metrics data point. For example, you might try sizing your buckets to 10GB.
  • Split your metrics data across multiple indexes. When you do this, partition the indexes by relative search domains. Keep data that tends to be searched frequently together in the same index. For example, you may want to keep your IT Infrastructure metrics data in one index, and your Sales/Marketing metrics in another index, if those two data sets are rarely searched together.

High result row cardinality also slows down search performance. You can try to mitigate this by increasing the time bucket span to reduce the number of rows returned. You can also reduce the overall time range of your search.

StatsD Format with dimensions extension

If you are indexing data that is in StatsD format, use the StatsD format with the dimensions extension for better performance: cpu.idle:0.5|g|#host:some-hostsplunk.com,app:some-app

Use it instead of the plain StatsD format that combines dimensions with the metric name: cpu.idle.some-hostsplunk.com.some-app

Other best practices

  • The _value field of a metric should be of type "Double", not type "String", to avoid causing indexing inefficiencies.
  • For a faster response time for REST calls to the Metrics Catalog endpoint, use constrained time windows when applicable. By default, only the last 24 hours of data is searched. See Metrics Catalog endpoint descriptions in the REST API Reference Manual.
  • Make sure dimension names do not start with an underscore ( _ ). Such dimensions will not be indexed.
PREVIOUS
Metrics indexing performance
 

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters