This is where adopting a different strategy, like populating index-time fields or a time-series metrics database, produces much faster results. The schema is built when you run your search. That’s because Splunk was first designed for search-time analytics. Need to report on gigabytes or terabytes of unstructured data and populate statistical graphs or timecharts? Well, that’s where Splunk performance can suffer. Curious what data you have? Just run a search like Google for your logs. Splunk is a great tool that makes it easy to convert raw, unstructured machine data to meaningful outcomes. In my small lab, in a set of Docker containers, Stream was shown to improve the performance of Splunk searches by up to 103x by populating index-time fields and searching via tstats and for a different data set where a metrics index was populated instead of a traditional event index, performance improved by 13x and also simplified by leveraging the ‘analytics workspace.’ The performance improvements will be even larger in a production environment where billions or trillions of events are searched. And if you’re in the Clint Sharp camp, you know the value of time-series databases, such as a Splunk metrics index. If you’re in the David Veuve camp, you know the value of using the tstats command to achieve performant searches in Splunk. In this blog, I’ll focus on using Stream to improve Splunk performance for search while lowering CPU usage. Stream optimizes data so that it’s consumable again. Happy Splunking.An ex-colleague at Splunk asked me in a LinkedIn post if Cribl Stream does anything else besides log reduction. We will be happy to provide you with the appropriate solution. Also, do not forget to follow us on Social Media. Kindly comment below for more interesting Splunk topics. I hope the above explanation gives you a clear insight into stats commands and their uses. Hence, next time when you see a Splunk dashboard or develop your dashboard, you know to choose the right stats command. The indexed fields are from normal index data, accelerated data models, or tscollect data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |