Optimize indexing and search processes
Optimizing search and indexing processes can improve your system performance and Splunk Virtual Compute (SVC) utilization. Because SVC usage is based on processes performed by the search heads and indexers, optimizing these processes for efficiency can positively impact on your SVC usage.
However, SVC usage is not a direct measurement of the health and performance of your deployment. Improving a search or indexing process might not decrease your SVC usage but could improve your system performance. For a better understanding of your system health, see Use the Health dashboard in the Splunk Cloud Platform Admin Manual.
To learn more about SVCs, how you can monitor them using the Cloud Monitoring Console (CMC), and the workload pricing model, see the following documentation:
- Monitor current SVC usage of your workload-based subscription in the Splunk Cloud Platform Admin Manual.
- Performance considerations in the Splunk Cloud Platform Service Description.
The following tips and resources can help you improve search and indexing processes and potentially improve SVC usage and system performance.
Optimize search processes
The following are ways you can optimize search processes so that they're more resource efficient:
Method | Details |
---|---|
Review data models |
You can use the Common Information Model (CIM) add-on, which contains preconfigured data models that can accelerate key data. Turn on data acceleration and use CIM filters to exclude data from searches so that your searches use less resources. Make sure to include index definitions to reduce the data scanned during data model acceleration. See the following documentation from the Common Information Model Add-on Manual: |
Review skipped searches |
Get more details on skipped searches using the following CMC dashboards in the Splunk Cloud Platform Admin Manual:
See the following resources to learn more about reducing skipped searches:
|
Review searches that run over all time | Searches that run over all time might use many resources, especially if they're event searches without tokens or indexed fields that filter the data. However, some searches that run over all time, such as API calls, don't use a lot of resources. |
Review long time running searches and optimize SPL |
Improve your searches so that they're less resource intensive. Prioritize improving the most expensive searches. See the following documentation to learn more:
|
Turn off unused scheduled searches, report acceleration, and data model acceleration |
Unused scheduled searches, report acceleration, and data model acceleration take up resources unnecessarily. This is especially true for out-of-the-box saved searches and accelerations. You can use the Splunk app for Redundant or Inefficient Search Spotting to identify redundant searches. |
Remove unused apps and technical add-ons (TAs) | Unused apps and TAs take up resources unnecessarily. This is especially true if you have unused CIM data models, out-of-the-box saved searches, and accelerations. |
Optimize indexing processes
You can improve indexing processes by investigating data quality issues, and following HTTP Event Collector (HEC) best practices.
Method | Details |
---|---|
Investigate data quality issues |
Review the CMC Data Quality dashboard and see Verify data quality in the Splunk Cloud Platform Admin Manual to investigate data quality issues. Address line breaking, event breaking, and time stamp issues to improve data quality. See the following Splunk Lantern articles to learn more: |
Review your HTTP Event Collector (HEC) performance |
To gain more insight on your HEC status, review the CMC HTTP Event Collector (HEC) dashboard and see Check the status of HTTP event collection in the Splunk Cloud Platform Admin Manual. |
Manage your Splunk Cloud Platform capacity | Manage Splunk Cloud Platform indexes |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!