Supercharge Your Searches

Copyright © 2011, Splunk Inc. Listen to your data.Date

NameTitle

SuperchargeYour Searches

Copyright © 2011, Splunk Inc. Listen to your data.2

Agenda

• Where’s the Turbo Button?• How Search Works• Supercharging Your Searches• Resources


Common Search Behavior

> *Use All Time all the time> foo | search barDon’t use default fieldsDiscover FieldsBuild reports in the Flash Timeline ViewBuild reports over long spans of timeBuild reports on large datasets

^ maybe not so great


How Search WorksSearch Query Structure

name=waldo | eval loc=long+lat+alt | geoip loc

retrieve events filter/transform/operate/map

Copyright © 2011, Splunk Inc. Listen to your data.

How Search Works

5

db_lt_et_4

db_lt_et_1

.tsidx

Sources.data

SourceTypes.data

Hosts.data

.gz.gz

.gz.gz

.gz

.gz.gz

.gz

db_1290057665_1289504696_1history

_internal

main


Types of Searches

Dense– Use Case: computing stats, reporting– Example: sourcetype=access_combined | timechart countSparse– Use Case: troubleshooting, error analysis– Example: sourcetype=access_combined status=404 | timechart countRare Term ( or Needle in a Haystack)– Use Case: user behavior tracking– Example: sourcetype=access_combined sessionID=1234


Dense Searches

I/O-bound– Dominant cost is retrieving events from diskDivide and conquer– Distribute search to an indexing cluster– Parallel compute and merge resultsSummarize and conquer– Summary indexing to collect metrics on a scheduled basis– Report on summarized data vs. raw data– Transparent summary indexing in next version of Splunk

> sourcetype=access_combined | timechart count


Sparse Searches

CPU-bound– Dominant cost is uncompressing *.gz raw data files– Sometimes need to read far into a file to retrieve a few eventsAvoid cherry picking– Be selective about exclusions (avoid “NOT foo” or “field!=value”)– In extreme cases, consider indexed fieldsFilter using whole terms– Instead of > sourcetype=access_combined clientip=192.168.11.2– Use > sourcetype=access_combined clientip=TERM(192.168.11.2)

> sourcetype=access_combined status=404 | timechart count


Sparse Searches

Upgrade to Splunk 4.2– 5x faster in the latest version of Splunk– Raw data size reduced from 5 MB to 64 KB

> sourcetype=access_combined status=404 | timechart count


Rare Term Searches

I/O-bound– Dominant cost is asking all .tsidx files if a term existsBloom Filters– Coming in the next release– Bloom filters stored in each bucket– I/Os to exclude a bucket go from 100-200 to just 2– 50-100x faster on conventional storage, >1000x faster on SSD

> sourcetype=access_combined sessionID=1234


Supercharge the UI

| fields

Disable Fields

Collapse Timeline

Change Segmentation

Use Advanced Charting View


Advanced Charting ViewNo interactive eventsNo field discovery


Measuring SearchUsing the Splunk Search Inspector

Remote timeline

Timings fromdistributed peers

Timings fromthe search command


Reading the Splunk Search InspectorMetric Description

index look in tsidx files for where to read in rawdata

rawdata read actual events from rawdata files

kv apply fields to the events

filter filter out events that don’t match (e.g., fields, phrases)

fieldalias rename fields according to props.conf

lookups create new fields based on existing field values

typer assign eventtypes to events

tags assign tags to events


Test Results

Timeline xField Discovery x x1 Field x2 Fields xFull Segmentation x x x x xRaw Segmentation x

Average Run Time in Seconds 234 218 62 77 87 62

• Dataset: Apache access log• Size: 500 MB• Events: 1.5 million• Laptop: 2.4 GHz processor

4 GB RAM


Supercharge Your SearchesBefore After

> *

Use All Time all the time

> foo | search bar

Don’t use default fields

Discover fields

Build reports in the Flash Timeline

Build reports over long spans of time

Build reports on large datasets

> be=selective AND be=specific | …

Narrow time range

> foo bar

> host=web sourcetype=access*

Use Advanced Charting View

Use Summary Indexing

Use Summary Indexing

Disable field discovery or … | fields


Technical Help: Splunk Answershttp://answers.splunk.comCommunity drivenSplunk supportedKnowledge exchangeQ & A

http://answers.splunk.com/


Splunk EducationSplunk Education– Search & Reporting Course– Pre-Requisite: Using Splunk Course

Splunk User Conference– August 15-17 in San Francisco, CA– 5 tracks, more than 40 sessions, the smartest Splunk users together– Sessions dedicated to search (Beginner, Intermediate, Advanced)


Q&A

Questions?ExamplesLooking Ahead


Graphic for Spreading the Word

Supercharge Your SearchesOne of the questions we often hear is, ‘Where’s the turbo button?’ We’re working on that, but it’s not easy to make a turbo button that will work for everyone so we want to empower you to make better decisions about how you search. This is a workshop designed to help Splunk users supercharge their searches—slim down searches by addressing common mistakes and help users understand how the search engine works under the hood. In many ways, performance is governed by the hardware and Splunk infrastructure already in place, however there are some critical decisions users can make to increase search speeds. Get smarter. Go faster.

Supercharge Your Searches

Documents

Transcript of Supercharge Your Searches