Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Supercharge Your Searches.

Published byTianna Keys Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Supercharge Your Searches."— Presentation transcript:

1 Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Supercharge Your Searches

2 Copyright © 2011, Splunk Inc.Listen to your data. Agenda 2 Where’s the Turbo Button? How Search Works Supercharging Your Searches Resources

3 Copyright © 2011, Splunk Inc.Listen to your data. Common Search Behavior 3 > * Use All Time all the time > foo | search bar Don’t use default fields Discover Fields Build reports in the Flash Timeline View Build reports over long spans of time Build reports on large datasets ^ maybe not so great

4 Copyright © 2011, Splunk Inc.Listen to your data. How Search Works Search Query Structure 4 name=waldo | eval loc=long+lat+alt | geoip loc retrieve eventsfilter/transform/operate/map

5 Copyright © 2011, Splunk Inc.Listen to your data. How Search Works 5 db_lt_et_4 db_lt_et_2.tsidx Sources.data SourceTypes.data Hosts.data.gz db_1290057665_1289504696_1 history _internal main

6 Copyright © 2011, Splunk Inc.Listen to your data. Types of Searches 6 Dense – Use Case: computing stats, reporting – Example: sourcetype=access_combined | timechart count Sparse – Use Case: troubleshooting, error analysis – Example: sourcetype=access_combined status=404 | timechart count Rare Term ( or Needle in a Haystack) – Use Case: user behavior tracking – Example: sourcetype=access_combined sessionID=1234

7 Copyright © 2011, Splunk Inc.Listen to your data. Dense Searches 7 I/O-bound – Dominant cost is retrieving events from disk Divide and conquer – Distribute search to an indexing cluster – Parallel compute and merge results Summarize and conquer – Summary indexing to collect metrics on a scheduled basis – Report on summarized data vs. raw data – Transparent summary indexing in next version of Splunk > sourcetype=access_combined | timechart count

8 Copyright © 2011, Splunk Inc.Listen to your data. Sparse Searches 8 CPU-bound – Dominant cost is uncompressing *.gz raw data files – Sometimes need to read far into a file to retrieve a few events Avoid cherry picking – Be selective about exclusions (avoid “ NOT foo ” or “ field!=value ”) – In extreme cases, consider indexed fields Filter using whole terms – Instead of > sourcetype=access_combined clientip=192.168.11.2 – Use > sourcetype=access_combined clientip=TERM(192.168.11.2) > sourcetype=access_combined status=404 | timechart count

9 Copyright © 2011, Splunk Inc.Listen to your data. Sparse Searches 9 Upgrade to Splunk 4.2 – 5x faster in the latest version of Splunk – Raw data size reduced from 5 MB to 64 KB > sourcetype=access_combined status=404 | timechart count

10 Copyright © 2011, Splunk Inc.Listen to your data. Rare Term Searches 10 I/O-bound – Dominant cost is asking all.tsidx files if a term exists Bloom Filters – Coming in the next release – Bloom filters stored in each bucket – I/Os to exclude a bucket go from 100-200 to just 2 – 50-100x faster on conventional storage, >1000x faster on SSD > sourcetype=access_combined sessionID=1234

11 Copyright © 2011, Splunk Inc.Listen to your data. Supercharge the UI 11 | fields Disable Fields Collapse Timeline Change Segmentation Use Advanced Charting View

12 Copyright © 2011, Splunk Inc.Listen to your data. Advanced Charting View 12 No interactive events No field discovery

13 Copyright © 2011, Splunk Inc.Listen to your data. Measuring Search Using the Splunk Search Inspector 13 Remote timeline Timings from distributed peers Timings from the search command

14 Copyright © 2011, Splunk Inc.Listen to your data. Reading the Splunk Search Inspector 14 MetricDescription index look in tsidx files for where to read in rawdata rawdata read actual events from rawdata files kv apply fields to the events filter filter out events that don’t match (e.g., fields, phrases) fieldalias rename fields according to props.conf lookups create new fields based on existing field values typer assign eventtypes to events tags assign tags to events

15 Copyright © 2011, Splunk Inc.Listen to your data. Test Results 15 Timeline x Field Discovery xx 1 Field x 2 Fields x Full Segmentation xxxxx Raw Segmentation x Average Run Time in Seconds 23421862778762 Dataset: Apache access log Size: 500 MB Events: 1.5 million Laptop: 2.4 GHz processor 4 GB RAM

16 Copyright © 2011, Splunk Inc.Listen to your data. Supercharge Your Searches 16 BeforeAfter > * Use All Time all the time > foo | search bar Don’t use default fields Discover fields Build reports in the Flash Timeline Build reports over long spans of time Build reports on large datasets > be=selective AND be=specific | … Narrow time range > foo bar > host=web sourcetype=access* Use Advanced Charting View Use Summary Indexing Disable field discovery or … | fields

17 Copyright © 2011, Splunk Inc.Listen to your data. Technical Help: Splunk Answers 17 http://answers.splunk.com Community driven Splunk supported Knowledge exchange Q & A

18 Copyright © 2011, Splunk Inc.Listen to your data. Splunk Education 18 Splunk Education –Search & Reporting Course –Pre-Requisite: Using Splunk Course Splunk User Conference –August 15-17 in San Francisco, CA –5 tracks, more than 40 sessions, the smartest Splunk users together –Sessions dedicated to search (Beginner, Intermediate, Advanced)

19 Copyright © 2011, Splunk Inc.Listen to your data. Q&A 19 Questions? Examples Looking Ahead

20 Copyright © 2011, Splunk Inc.Listen to your data. Thank You :)

21 Copyright © 2011, Splunk Inc.Listen to your data. Graphic for Spreading the Word 21 Supercharge Your Searches One of the questions we often hear is, ‘Where’s the turbo button?’ We’re working on that, but it’s not easy to make a turbo button that will work for everyone so we want to empower you to make better decisions about how you search. This is a workshop designed to help Splunk users supercharge their searches—slim down searches by addressing common mistakes and help users understand how the search engine works under the hood. In many ways, performance is governed by the hardware and Splunk infrastructure already in place, however there are some critical decisions users can make to increase search speeds. Get smarter. Go faster. Supercharge Your Searches One of the questions we often hear is, ‘Where’s the turbo button?’ We’re working on that, but it’s not easy to make a turbo button that will work for everyone so we want to empower you to make better decisions about how you search. This is a workshop designed to help Splunk users supercharge their searches—slim down searches by addressing common mistakes and help users understand how the search engine works under the hood. In many ways, performance is governed by the hardware and Splunk infrastructure already in place, however there are some critical decisions users can make to increase search speeds. Get smarter. Go faster.

Download ppt "Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Supercharge Your Searches."

Similar presentations

Copyright © 2011, Splunk Inc.Listen to your data. Get Started with Splunk Reports & Dashboards.

Copyright © 2011, Splunk Inc.Listen to your data. Get Started with Splunk Reports & Dashboards.
LIBRA: Lightweight Data Skew Mitigation in MapReduce

LIBRA: Lightweight Data Skew Mitigation in MapReduce
Physical Database Design Data Migration/Conversion.

Physical Database Design Data Migration/Conversion.
1 External Sorting Chapter 13. 2 Why Sort?  A classic problem in computer science!  Data requested in sorted order  e.g., find students in increasing.

1 External Sorting Chapter Why Sort?  A classic problem in computer science!  Data requested in sorted order  e.g., find students in increasing.
Query Evaluation. An SQL query and its RA equiv. Employees (sin INT, ename VARCHAR(20), rating INT, age REAL) Maintenances (sin INT, planeId INT, day.

Query Evaluation. An SQL query and its RA equiv. Employees (sin INT, ename VARCHAR(20), rating INT, age REAL) Maintenances (sin INT, planeId INT, day.
Indexes. Primary Indexes Dense Indexes Pointer to every record of a sequential file, (ordered by search key). Can make sense because records may be much.

Indexes. Primary Indexes Dense Indexes Pointer to every record of a sequential file, (ordered by search key). Can make sense because records may be much.
External Sorting R & G Chapter 11 One of the advantages of being disorderly is that one is constantly making exciting discoveries. A. A. Milne.

External Sorting R & G Chapter 11 One of the advantages of being disorderly is that one is constantly making exciting discoveries. A. A. Milne.
Primary Indexes Dense Indexes

Primary Indexes Dense Indexes
Text-Based Content Search and Retrieval in ad hoc P2P Communities Francisco Matias Cuenca-Acuna Thu D. Nguyen

Text-Based Content Search and Retrieval in ad hoc P2P Communities Francisco Matias Cuenca-Acuna Thu D. Nguyen
1 External Sorting for Query Processing Yanlei Diao UMass Amherst Feb 27, 2007 Slides Courtesy of R. Ramakrishnan and J. Gehrke.

1 External Sorting for Query Processing Yanlei Diao UMass Amherst Feb 27, 2007 Slides Courtesy of R. Ramakrishnan and J. Gehrke.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Welcome Course 20410B Module 0: Introduction Audience

Welcome Course 20410B Module 0: Introduction Audience
Enterprise Search. Search Architecture Configuring Crawl Processes Advanced Crawl Administration Configuring Query Processes Implementing People Search.

Enterprise Search. Search Architecture Configuring Crawl Processes Advanced Crawl Administration Configuring Query Processes Implementing People Search.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
Welcome Thank you for taking our training. Collection 6421: Configure and Troubleshoot Windows Server® 2008 Network Course 6690 – 6709 at

Welcome Thank you for taking our training. Collection 6421: Configure and Troubleshoot Windows Server® 2008 Network Course 6690 – 6709 at
Selecting and Implementing An Embedded Database System Presented by Jeff Webb March 2005 Article written by Michael Olson IEEE Software, 2000.

Selecting and Implementing An Embedded Database System Presented by Jeff Webb March 2005 Article written by Michael Olson IEEE Software, 2000.
Troubleshooting SQL Server Enterprise Geodatabase Performance Issues

Troubleshooting SQL Server Enterprise Geodatabase Performance Issues
Performance Tuning Cubes and Queries in Analysis Services 2008 Chris Webb

Performance Tuning Cubes and Queries in Analysis Services 2008 Chris Webb

Similar presentations

Ads by Google