Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

noop

Description

The noop command is an internal command that you can use to debug your search. It includes several arguments that you can use to troubleshoot search optimization issues.

You cannot use the noop command to add comments to a search. If you are looking for a way to add comments to your search, see Add comments to searches in the Search Manual.

Syntax

noop [<log-level-expression>] [search_optimization = <boolean>] [search_optimization.<optimization_type> = <boolean>] [sample_ratio = <int>]...

Required arguments

None.

Optional arguments

log-level-expression
Syntax: log_<level> = "<channel>, ..."
Description: Sets or changes the log levels for one or more log channels at search startup. The log channel list should be double-quoted. See Log level expression options.
optimization_type
Syntax: search_optimization.<optimization_type> = <boolean>
Description: Enables or disables a specific type of search optimization for the search. To disable multiple optimization types, create a comma-separated list of search_optimization.<optimization_type> arguments. See Optimization type arguments.
Default: true
sample_ratio
Syntax: sample_ratio = <int>
Description: Sets a randomly-sampled subset of results to return from a given search. It returns 1 out of every <sample_ratio> events. For example, if you supply | noop sample_ratio=25, the Splunk software returns a random sample of 1 out of every 25 events from the search result set. The sample_ratio argument requires that search be the generating command of the search to which you are applying noop.
The sample_ratio does the same thing as the event sampling feature that you can manage through Splunk Web. The difference is that it enables you to apply event sampling to a subsearch, while the Splunk Web version of event sampling is applied only to the main search. See Event sampling in the Search Manual.
Default: 1
search_optimization
Syntax: search_optimization = <boolean>
Description: Enables or disables all optimizations for the search.
Default: true

Optimization type arguments

Here are the search_optimization.<optimization_type> arguments that you can use with noop.

search_optimization argument Controls
search_optimization.eval_merge Eval merge optimization
search_optimization.merge_union Merge union optimization
search_optimization.predicate_merge Predicate merge optimizations
search_optimization.predicate_push Predicate pushdown optimizations
search_optimization.predicate_split Predicate split optimizations
search_optimization.projection_elimination Projection elimination optimizations
search_optimization.required_field_values Required field value optimizations
search_optimization.replace_append_with_union Replace append command with union command optimization
search_optimization.replace_stats_cmds_with_tstats Replace stats command with tstats command optimization

This optimization type is disabled by default.

search_optimization.search_flip_normalization Predicate flip normalization
search_optimization.search_sort_normalization Predicate sort normalization

For more information about specific search optimization types, see Built-in optimizations.

Log level expression options

level
Syntax: log_<level>
Description: Valid values are the Splunk platform internal logging levels: debug, info, warn, and error, and fatal. You can apply different log levels to different sets of channels.
channel
Syntax: <channel>, ...
Description: Specifies one or more log channels to apply the log level to. Use wildcards to catch all channels with a matching string of characters in their name.

Usage

You can use the noop command to enable or disable search optimizations when you run a search. Enabling or disabling search optimizations can help you troubleshoot certain kinds of search issues. For example, you might experiment with disabling and enabling search optimizations to determine whether they are causing a search to be slow to complete.

For information about managing search optimization through limits.conf for all of the users in your Splunk platform deployment, see Built-in optimization in the Search Manual.

Managing all search optimizations with the noop command

The noop command can enable or disable all search optimizations for a single run of a search.

If all search optimizations are enabled for your Splunk deployment in limits.conf, you can add the following argument to the end of a search string to disable all optimizations when you run that search:

.... | noop search_optimization=false

If all search optimizations are disabled for your Splunk deployment in limits.conf, you can add the following argument to the end of a search string to enable all search optimizations when you run that search:

.... | noop search_optimization=true

Managing specific search optimizations with the noop command

You can use the optimization_type argument to selectively disable or enable specific types of search optimization.

Here is an example of a set of noop arguments that disable the predicate merge and predicate pushdown optimizations for a search.

.... | noop search_optimization.predicate_merge=f, search_optimization.predicate_push=f

This example works only if you have enabled all optimizations in limits.conf.

When you set enabled=false for the [search_optimization] stanza in limits.conf you disable all search optimizations for your Splunk platform deployment. With this limits.conf configuration, your searches can use noop to enable all optimizations and selectively disable specific optimization types.

For example, if you have the [search_optimization] stanza set to enabled = false in limits.conf, the following search enables all optimizations except projection elimination.

index=_internal | eval c = x * y / z | stats count BY a, b | noop search_optimization=true, search_optimization.projection_elimination=false

However, When you set enabled=false for the [search_optimization] stanza in limits.conf, your searches cannot enable specific optimization types unless specific conditions are met. See How noop interoperates with limits.conf search optimization settings.

How the noop command interoperates with limits.conf search optimization settings

Review how you have configured search optimization for your Splunk platform deployment in limits.conf before you use the noop command to enable or disable optimization types. The search processor respects limits.conf settings for optimization types only when [search_optimization] is enabled.

For example, if the [search_optimization] stanza is set to enabled=true in limits.conf, the search processor checks whether individual optimization types are enabled or disabled in limits.conf. On the other hand, if the [search_optimization] stanza is set to enabled = false, the search processor does not check the settings for other optimization types. It assumes all of the optimization types are set to enabled=false.

This search processor logic affects the way that the noop command works when you use it to enable or disable search optimization for an individual search.

For example, imagine that you have the following configuration in limits.conf:

[search_optimization]
enabled=false

[search_optimization::projection_elimination]
enabled=false

With this configuration, the search processor ignores the disabled projection elimination optimization. Because [search_optimization] is disabled, the search processor assumes all optimizations are disabled.

Say you have this configuration, and you run the following search, which uses the noop command to enable search optimization:

.... | noop search_optimization=true

When you do this, you enable search optimization, but the search processor sees that in limits.conf, the projection elimination optimization is disabled. It runs the search with all optimization types enabled except projection elimination.

Instead, use the noop command in a search to enable search optimization and selectively enable the projection elimination optimization:

.... | noop search_optimization=true search_optimization.projection_elimination=true

When this search runs, it overrides both limits.conf settings: the setting for [search_optimization] and the setting for [search_optimization::projection_elimination]. The search runs with all optimizations enabled.

Use noop to set debugging channels for a search

The log_<level> argument lets you set the debugging channel for a search at a specific log level, such as debug or warn. You might use this if you need to set the log level for a specific search but do not have CLI access to the Splunk platform implementation.

The Splunk platform changes the log level after it parses the noop command. It can do this before the search head parses arguments from other search commands, even if it comes after those commands in the search string. For instance, the following search properly logs some debug messages from the makeresults command despite the fact that it precedes the noop command:

| makeresults count=1 | noop log_debug="MakeResultsProcessor"

However, the log_<level> argument cannot set the log level for search process components that are ahead of SPL argument processing in the order of operations. For example, LicenseMgr is one of those components. When you run this search, it still logs at the default level of info for LicenseMgr even though you specify debug in the SPL.

index=_internal | head 1 | noop log_debug="LicenseMgr"

If you have command-line access and you need to debug an issue with that component or ones like it, you can modify $SPLUNK_HOME/etc/log-searchprocess.cfg directly to set the logging level before the search is dispatched and produce more verbose output in search.log.

The noop command must be part of the streaming pipeline. Because the Splunk software performs argument parsing on the search head and then pushes the search to the indexers, make sure that the noop command is part of the streaming pipeline. Place the noop command before the first non-streaming command in the search string. An easy way to do this is to put it after the first command in the search string, which is ususally search.

The log_<level> argument supports wildcard matching. You can also set different log levels for different debugging channels in the same search.

.... | noop log_debug=Cache* log_info=SearchOperator:kv,SearchOperator:multikv

For more information about logs and setting log levels for debugging channels, see What Splunk logs about itself in the Troubleshooting Manual.

Last modified on 28 April, 2021
PREVIOUS
mcatalog
  NEXT
redistribute

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters