Splunk® Enterprise

Metrics

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Best practices for metrics

The following are best practices when working with metrics in the Splunk platform:

Cardinality issues

Metrics search performance decreases as the cardinality of the metric time series stored in a given index and bucket increases. In other words, as the number of unique dimension sets in your metrics data increases, the speed of your metrics searches decreases. The following strategies can help you reduce the time series cardinality in your metrics indexes and buckets.

  • Remove unnecessary dimensions from your data. Focus on removing dimensions that have a wide range of unique values, like user IDs or phone numbers.
  • Use larger bucket sizes. This can help you reduce the overhead per metrics data point. For example, you might try sizing your buckets to 10GB.
  • Split your metrics data across multiple indexes. When you do this, partition the indexes by relative search domains. Keep data that tends to be searched frequently together in the same index. For example, you may want to keep your IT Infrastructure metrics data in one index, and your Sales/Marketing metrics in another index, if those two data sets are rarely searched together.

High result row cardinality also slows down search performance. You can try to mitigate this by increasing the time bucket span to reduce the number of rows returned. You can also reduce the overall time range of your search.

StatsD Format with dimensions extension

If you are indexing data that is in StatsD format, use the StatsD format with the dimensions extension for better performance: cpu.idle:0.5|g|#host:some-hostsplunk.com,app:some-app

Use it instead of the plain StatsD format that combines dimensions with the metric name: cpu.idle.some-hostsplunk.com.some-app

Other best practices

  • The _value field of a metric should be of type "Double", not type "String", to avoid causing indexing inefficiencies.
  • For a faster response time for REST calls to the Metrics Catalog endpoint, use constrained time windows when applicable. By default, only the last 24 hours of data is searched. See Metrics Catalog endpoint descriptions in the REST API Reference Manual.
  • Make sure dimension names do not start with an underscore ( _ ). Such dimensions will not be indexed.
Last modified on 24 July, 2018
Metrics indexing performance  

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters