Troubleshooting and investigating searches
As a Splunk platform user, you run a lot of searches in the platform every day. You've followed best practices to optimize your searches, but there are still occasions where your searches don't run as expected. In these instances, you need to be able to dig into the detail of the search to understand what's happening.
You also need to be able to get an in-depth understanding of certain factors relating to the searches you do. For example, in distributed environments, it's critical to know execution costs across search peers, but you're not sure how to access this information.
Solution
The Search Job Inspector is a good tool for you to use to troubleshoot specific searches and get details about the search's characteristics. It provides a window into what happens when you click the search button. You can see where time was spent fulfilling your search, including the behavior of knowledge objects in your environment. The Search Job Inspector can be used with any search job that has not expired.
Watch this video to learn how to use the Search Job Inspector, including how to:
- Access the Search Job Inspector two different ways
- Find out the events per second (EPS) for your search, so you can see how well your search is performing
- Use the search log to understand into the steps taken to return your results
- Find out what processing components are affecting your search
- Find execution costs to dispatch your search
- Find out more characteristics of your search, including the:
- time the search was created
- number of events and event fields scanned
- status of the search
- result count
Next steps
These resources might help you understand and implement this guidance:
- Product Tip: Optimizing search
- Splunk Docs: View search job properties with the Search Job Inspector in Splunk Enterprise or Splunk Cloud Platform