Skip to main content
 
 
Splunk Lantern

Troubleshooting and investigating searches

 

As a Splunk platform user, you run a lot of searches in the platform every day. You've followed best practices to optimize your searches, but there are still occasions where your searches don't run as expected. In these instances, you need to be able to dig into the detail of the search to understand what's happening.

You also need to be able to get an in-depth understanding of certain factors relating to the searches you do. For example, in distributed environments, it's critical to know execution costs across search peers, but you're not sure how to access this information.

Solution

The Search Job Inspector is a good tool for you to use to troubleshoot specific searches and get details about the search's characteristics. It provides a window into what happens when you click the search button. You can see where time was spent fulfilling your search, including the behavior of knowledge objects in your environment. The Search Job Inspector can be used with any search job that has not expired.

Watch this video to learn how to use the Search Job Inspector, including how to:

  • Access the Search Job Inspector two different ways
  • Find out the events per second (EPS) for your search, so you can see how well your search is performing
  • Use the search log to understand into the steps taken to return your results
  • Find out what processing components are affecting your search
  • Find execution costs to dispatch your search
  • Find out more characteristics of your search, including the:
    • time the search was created
    • number of events and event fields scanned
    • status of the search
    • result count

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the HoodResult Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.