Splunk

Splunk Enterprise Fundamental Part2 Module1

一、Course Content

  • Search fundamentals review
  • Case sensitivity
  • Using the job inspector to view search performance

二、Start

2.1.Search fundamentals review

study with fundmental part1 and search tutorial

2.2.Case sensitivity

study with fundmental part1 and search tutorial

2.3.Using the job inspector to view search performance

Use the Search Job Inspector to view information about the current job, such as job execution costs and search job properties
The Search Job Inspector is a tool that lets you take a closer look at what your search is doing and see where the Splunk software is spending most of its time
Search Job Inspector shows you:

  • Execution costs
    The Execution costs section lists information about the components of the search and how much impact each component has on the overall performance of the search
  • Search job properties
    The Search job properties section lists other characteristics of the job

Execution costs

  • The component durations in seconds
  • How many times each component was invoked while the search ran
  • The input and output event counts for each component

Execution costs of search commands
Search command component name:command.search
command.search.index:tells how long it took to look into the TSIDX files for the location to read in the raw data
command.search.rawdata:tells how long it took to read the actual events from the rawdata files
command.search.typer:tells how long it took to assign event types to events
command.search.kv:tells how long it took to apply field extractions to the events
command.search.fieldalias:tells how long it took to rename fields based according to props.conf
command.search.lookups:tells how long it took to create new fields based on existing fields (perform field lookups)
command.search.filter:tells how long it took to filter out events that do not match, for example fields and phrases
command.search.tags: tells how long it took to assign tags to events
Execution costs of dispatched searches
check document https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/ViewsearchjobpropertieswiththeJobInspector
Search job properties
The Search job properties fields provide information about the search job
Search performance should not so much be measured using the resultCount/time rate but scanCount/time instead. Typically, the scanCount/second event rate should hover between 10k and 20k events per second for performance to be deemed good
Debug messages
cat /opt/splunk/etc/system/default/limits.conf
add next content in the [search_info] stanza

infocsv_log_level = INFO  

example

... | dedup punct

07163
The command.prededup gives you the performance impact of processing the results of the search command before passing it into the dedup command

  • The Input count of command.prededup matches the Output count of command.search
  • The Input count of command.dedup matches the Output count of command.prededup

the Output count of command.prededup should match the number of events returned at the completion of the search. This is the value of resultCount, under Search job properties

三、Revelant Video

Using the Splunk Search Job Inspector

支付宝扫码打赏 微信打赏

若你觉得我的文章对你有帮助,欢迎点击上方按钮对我打赏

扫描二维码,分享此文章

linuxwt's Picture
linuxwt

我叫王腾,来自武汉,2016年毕业后在上海做了一年helpdesk,自学了linux后回武汉从事系统运维的工作,从2017年开始写博客记录自己的学习工作,现在正在进行数据迁移到此博客,目前就职于北京神州新桥科技有限公司,个人的座右铭是:逃脱舒适区才能在闲暇的时候惬意的玩耍。

武汉光谷 https://linuxwt.com

Subscribe to 今晚打老虎

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!

Comments