Best practices for metrics
The following are best practices when working with metrics in the Splunk platform:
Metrics search performance decreases as the cardinality of the metric time series stored in a given index and bucket increases. In other words, as the number of unique dimension sets in your metrics data increases, the speed of your metrics searches decreases. The following strategies can help you reduce the time series cardinality in your metrics indexes and buckets.
- Remove unnecessary dimensions from your data. Focus on removing dimensions that have a wide range of unique values, like user IDs or phone numbers.
- Use larger bucket sizes. This can help you reduce the overhead per metrics data point. For example, you might try sizing your buckets to 10GB.
- Split your metrics data across multiple indexes. When you do this, partition the indexes by relative search domains. Keep data that tends to be searched frequently together in the same index. For example, you may want to keep your IT Infrastructure metrics data in one index, and your Sales/Marketing metrics in another index, if those two data sets are rarely searched together.
High result row cardinality also slows down search performance. You can try to mitigate this by increasing the time bucket
span to reduce the number of rows returned. You can also reduce the overall time range of your search.
StatsD Format with dimensions extension
If you are indexing data that is in StatsD format, use the StatsD format with the dimensions extension for better performance:
Use it instead of the plain StatsD format that combines dimensions with the metric name:
Other best practices
_valuefield of a metric should be of type "Double", not type "String", to avoid causing indexing inefficiencies.
- For a faster response time for REST calls to the Metrics Catalog endpoint, use constrained time windows when applicable. By default, only the last 24 hours of data is searched. See Metrics Catalog endpoint descriptions in the REST API Reference Manual.
- Make sure dimension names do not start with an underscore ( _ ). Such dimensions will not be indexed.
Metrics indexing performance
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.1.2101, 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2103, 8.2.2104, 8.2.2105, 8.2.2106, 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111