Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Supercharge Your Searches.

Slides:



Advertisements
Similar presentations
Copyright © 2011, Splunk Inc.Listen to your data. Get Started with Splunk Reports & Dashboards.
Advertisements

LIBRA: Lightweight Data Skew Mitigation in MapReduce
Physical Database Design Data Migration/Conversion.
1 External Sorting Chapter Why Sort?  A classic problem in computer science!  Data requested in sorted order  e.g., find students in increasing.
Query Evaluation. An SQL query and its RA equiv. Employees (sin INT, ename VARCHAR(20), rating INT, age REAL) Maintenances (sin INT, planeId INT, day.
Indexes. Primary Indexes Dense Indexes Pointer to every record of a sequential file, (ordered by search key). Can make sense because records may be much.
External Sorting R & G Chapter 11 One of the advantages of being disorderly is that one is constantly making exciting discoveries. A. A. Milne.
Primary Indexes Dense Indexes
Text-Based Content Search and Retrieval in ad hoc P2P Communities Francisco Matias Cuenca-Acuna Thu D. Nguyen
1 External Sorting for Query Processing Yanlei Diao UMass Amherst Feb 27, 2007 Slides Courtesy of R. Ramakrishnan and J. Gehrke.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Welcome Course 20410B Module 0: Introduction Audience
Enterprise Search. Search Architecture Configuring Crawl Processes Advanced Crawl Administration Configuring Query Processes Implementing People Search.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
Welcome Thank you for taking our training. Collection 6421: Configure and Troubleshoot Windows Server® 2008 Network Course 6690 – 6709 at
Selecting and Implementing An Embedded Database System Presented by Jeff Webb March 2005 Article written by Michael Olson IEEE Software, 2000.
Troubleshooting SQL Server Enterprise Geodatabase Performance Issues
Performance Tuning Cubes and Queries in Analysis Services 2008 Chris Webb
1 Session Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Website for IP Routing Issues Cisco TAC Web Seminar.
Search Engines and Information Retrieval Chapter 1.
Troubleshooting Replication and Geodata Services
CIS 9002 Kannan Mohan Department of CIS Zicklin School of Business, Baruch College.
Physical Database Design & Performance. Optimizing for Query Performance For DBs with high retrieval traffic as compared to maintenance traffic, optimizing.
Eurotrace Hands-On The Eurotrace File System. 2 The Eurotrace file system Under MS ACCESS EUROTRACE generates several different files when you create.
Farm Management D. Andreotti 1), A. Crescente 2), A. Dorigo 2), F. Galeazzi 2), M. Marzolla 3), M. Morandin 2), F.
Improving Efficiency of I/O Bound Systems More Memory, Better Caching Newer and Faster Disk Drives Set Object Access (SETOBJACC) Reorganize (RGZPFM) w/
Course Introduction Andy Wang COP 5611 Advanced Operating Systems.
Block1 Wrapping Your Nugget Around Distributed Processing.
CMAQ Runtime Performance as Affected by Number of Processors and NFS Writes Patricia A. Bresnahan, a * Ahmed Ibrahim b, Jesse Bash a and David Miller a.
Improving Content Addressable Storage For Databases Conference on Reliable Awesome Projects (no acronyms please) Advanced Operating Systems (CS736) Brandon.
Datasets on the GRID David Adams PPDG All Hands Meeting Catalogs and Datasets session June 11, 2003 BNL.
What is Sure Stats? Sure Stats is an add-on for SAP that provides Organizations with detailed Statistical Information about how their SAP system is being.
INTRODUCING WINDOWS 8 Windows 8 is the current release of the Windows Operating System, produced by Microsoft. Windows 8 was released to manufacturing.
1 Session Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Web Site for LAN Switching Issues Cisco TAC Web Seminar.
MEMORY ORGANIZTION & ADDRESSING Presented by: Bshara Choufany.
EGEE is a project funded by the European Union under contract IST HEP Use Cases for Grid Computing J. A. Templon Undecided (NIKHEF) Grid Tutorial,
CPSC 404, Laks V.S. Lakshmanan1 External Sorting Chapter 13: Ramakrishnan & Gherke and Chapter 2.3: Garcia-Molina et al.
CRM Functionality. data structure the data structure was modified in October 2014 to permit the assignment of a greater number of dedicated constituent.
Indexes. Primary Indexes Dense Indexes Pointer to every record of a sequential file, (ordered by search key). Can make sense because records may be much.
The Million Point PI System – PI Server 3.4 The Million Point PI System PI Server 3.4 Jon Peterson Rulik Perla Denis Vacher.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for IP Routing.
Don’t Duck Metadata March 2005 Introducing Setting Up a Clearinghouse Node Topic: Introduction to Setting Up a Clearinghouse Node Objective: By.
PROOF tests at BNL Sergey Panitkin, Robert Petkus, Ofer Rind BNL May 28, 2008 Ann Arbor, MI.
LHCbComputing Computing for the LHCb Upgrade. 2 LHCb Upgrade: goal and timescale m LHCb upgrade will be operational after LS2 (~2020) m Increase significantly.
CS 405G: Introduction to Database Systems Instructor: Jinze Liu Fall 2007.
Splunk Enterprise Instructor: Summer Partain 3 Day Course.
Windows Certification Paths OR MCSA Windows Server 2012 Installing and Configuring Windows Server 2012 Exam (20410) Administering Windows Server.
The Anatomy of a Large-Scale Hypertextual Web Search Engine S. Brin and L. Page, Computer Networks and ISDN Systems, Vol. 30, No. 1-7, pages , April.
Splunk Enterprise Instructor: Summer Partain 3 Day Course.
Repository Manager 1.3 Product Overview Name Title Date.
Configuring SQL Server for a successful SharePoint Server Deployment Haaron Gonzalez Solution Architect & Consultant Microsoft MVP SharePoint Server
Chapter 5 Ranking with Indexes. Indexes and Ranking n Indexes are designed to support search  Faster response time, supports updates n Text search engines.
29/04/2008ALICE-FAIR Computing Meeting1 Resulting Figures of Performance Tests on I/O Intensive ALICE Analysis Jobs.
Session Name Pelin ATICI SQL Premier Field Engineer.
Understanding and Improving Server Performance
Solid State Disks Testing with PROOF
Course Introduction Dr. Eggen COP 6611 Advanced Operating Systems
Andy Wang COP 5611 Advanced Operating Systems
CSE-291 (Cloud Computing) Fall 2016
Chapter 2/Module 2: Computer and managing files
Database Management Systems (CS 564)
Module 5: Data Cleaning and Building Reports
Lecture 19: Data Storage and Indexes
CSCE 313 – Introduction to UNIx process
Andy Wang COP 5611 Advanced Operating Systems
Andy Wang COP 5611 Advanced Operating Systems
Database Systems (資料庫系統)
Andy Wang COP 5611 Advanced Operating Systems
Presentation transcript:

Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Supercharge Your Searches

Copyright © 2011, Splunk Inc.Listen to your data. Agenda 2 Where’s the Turbo Button? How Search Works Supercharging Your Searches Resources

Copyright © 2011, Splunk Inc.Listen to your data. Common Search Behavior 3 > * Use All Time all the time > foo | search bar Don’t use default fields Discover Fields Build reports in the Flash Timeline View Build reports over long spans of time Build reports on large datasets ^ maybe not so great

Copyright © 2011, Splunk Inc.Listen to your data. How Search Works Search Query Structure 4 name=waldo | eval loc=long+lat+alt | geoip loc retrieve eventsfilter/transform/operate/map

Copyright © 2011, Splunk Inc.Listen to your data. How Search Works 5 db_lt_et_4 db_lt_et_2.tsidx Sources.data SourceTypes.data Hosts.data.gz db_ _ _1 history _internal main

Copyright © 2011, Splunk Inc.Listen to your data. Types of Searches 6 Dense – Use Case: computing stats, reporting – Example: sourcetype=access_combined | timechart count Sparse – Use Case: troubleshooting, error analysis – Example: sourcetype=access_combined status=404 | timechart count Rare Term ( or Needle in a Haystack) – Use Case: user behavior tracking – Example: sourcetype=access_combined sessionID=1234

Copyright © 2011, Splunk Inc.Listen to your data. Dense Searches 7 I/O-bound – Dominant cost is retrieving events from disk Divide and conquer – Distribute search to an indexing cluster – Parallel compute and merge results Summarize and conquer – Summary indexing to collect metrics on a scheduled basis – Report on summarized data vs. raw data – Transparent summary indexing in next version of Splunk > sourcetype=access_combined | timechart count

Copyright © 2011, Splunk Inc.Listen to your data. Sparse Searches 8 CPU-bound – Dominant cost is uncompressing *.gz raw data files – Sometimes need to read far into a file to retrieve a few events Avoid cherry picking – Be selective about exclusions (avoid “ NOT foo ” or “ field!=value ”) – In extreme cases, consider indexed fields Filter using whole terms – Instead of > sourcetype=access_combined clientip= – Use > sourcetype=access_combined clientip=TERM( ) > sourcetype=access_combined status=404 | timechart count

Copyright © 2011, Splunk Inc.Listen to your data. Sparse Searches 9 Upgrade to Splunk 4.2 – 5x faster in the latest version of Splunk – Raw data size reduced from 5 MB to 64 KB > sourcetype=access_combined status=404 | timechart count

Copyright © 2011, Splunk Inc.Listen to your data. Rare Term Searches 10 I/O-bound – Dominant cost is asking all.tsidx files if a term exists Bloom Filters – Coming in the next release – Bloom filters stored in each bucket – I/Os to exclude a bucket go from to just 2 – x faster on conventional storage, >1000x faster on SSD > sourcetype=access_combined sessionID=1234

Copyright © 2011, Splunk Inc.Listen to your data. Supercharge the UI 11 | fields Disable Fields Collapse Timeline Change Segmentation Use Advanced Charting View

Copyright © 2011, Splunk Inc.Listen to your data. Advanced Charting View 12 No interactive events No field discovery

Copyright © 2011, Splunk Inc.Listen to your data. Measuring Search Using the Splunk Search Inspector 13 Remote timeline Timings from distributed peers Timings from the search command

Copyright © 2011, Splunk Inc.Listen to your data. Reading the Splunk Search Inspector 14 MetricDescription index look in tsidx files for where to read in rawdata rawdata read actual events from rawdata files kv apply fields to the events filter filter out events that don’t match (e.g., fields, phrases) fieldalias rename fields according to props.conf lookups create new fields based on existing field values typer assign eventtypes to events tags assign tags to events

Copyright © 2011, Splunk Inc.Listen to your data. Test Results 15 Timeline x Field Discovery xx 1 Field x 2 Fields x Full Segmentation xxxxx Raw Segmentation x Average Run Time in Seconds Dataset: Apache access log Size: 500 MB Events: 1.5 million Laptop: 2.4 GHz processor 4 GB RAM

Copyright © 2011, Splunk Inc.Listen to your data. Supercharge Your Searches 16 BeforeAfter > * Use All Time all the time > foo | search bar Don’t use default fields Discover fields Build reports in the Flash Timeline Build reports over long spans of time Build reports on large datasets > be=selective AND be=specific | … Narrow time range > foo bar > host=web sourcetype=access* Use Advanced Charting View Use Summary Indexing Disable field discovery or … | fields

Copyright © 2011, Splunk Inc.Listen to your data. Technical Help: Splunk Answers 17 Community driven Splunk supported Knowledge exchange Q & A

Copyright © 2011, Splunk Inc.Listen to your data. Splunk Education 18 Splunk Education –Search & Reporting Course –Pre-Requisite: Using Splunk Course Splunk User Conference –August in San Francisco, CA –5 tracks, more than 40 sessions, the smartest Splunk users together –Sessions dedicated to search (Beginner, Intermediate, Advanced)

Copyright © 2011, Splunk Inc.Listen to your data. Q&A 19 Questions? Examples Looking Ahead

Copyright © 2011, Splunk Inc.Listen to your data. Thank You :)

Copyright © 2011, Splunk Inc.Listen to your data. Graphic for Spreading the Word 21 Supercharge Your Searches One of the questions we often hear is, ‘Where’s the turbo button?’ We’re working on that, but it’s not easy to make a turbo button that will work for everyone so we want to empower you to make better decisions about how you search. This is a workshop designed to help Splunk users supercharge their searches—slim down searches by addressing common mistakes and help users understand how the search engine works under the hood. In many ways, performance is governed by the hardware and Splunk infrastructure already in place, however there are some critical decisions users can make to increase search speeds. Get smarter. Go faster. Supercharge Your Searches One of the questions we often hear is, ‘Where’s the turbo button?’ We’re working on that, but it’s not easy to make a turbo button that will work for everyone so we want to empower you to make better decisions about how you search. This is a workshop designed to help Splunk users supercharge their searches—slim down searches by addressing common mistakes and help users understand how the search engine works under the hood. In many ways, performance is governed by the hardware and Splunk infrastructure already in place, however there are some critical decisions users can make to increase search speeds. Get smarter. Go faster.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.