Note: This article only applies to Splunk Cloud.
Splunk works fine out of the box. As you increase load on your system, though, you'll want to get familiar with ways to enhance its ability to handle that load. We’ll show you how to identify the cause of slow searches and review possible trouble spots in your deployment.
How search optimization helps you do more with less
Slow searches can be caused by inefficient search practices, but they can also be caused by poor data quality. You can find remarkable performance improvements when you resolve things like the incorrect event breaks and time stamp errors in the data. Inefficiencies like these can cause indexers to work overtime both when indexing data and finding the search results. If your searches run more efficiently, they also run faster and complete sooner. Which means the system can handle more of them in the same time!
Things to know
Use Splunk Cloud Monitoring Console (CMC) dashboards to determine if any searches have performance issues that need attention. The CMC enables you to monitor Splunk Cloud deployment health and to enable platform alerts. You can modify existing alerts or create new ones. You can interpret results in these dashboards to identify ways to optimize and troubleshoot your deployment.
Search Usage Statistics: This dashboards shows search activity across your deployment with detailed information broken down by instance.
Scheduler Activity: This dashboard shows Information about scheduled search jobs (reports) and you can configure the priority of scheduled reports.
Forwarders: Instance and Forwarders: Deployment: These dashboards show information about forwarder connections and status. Read about how to troubleshoot forwarder/receiver connection in Forwarding Data.
Things to do
Improve your source types. Review the data quality dashboards to identify and resolve data quality issues.
Check the HTTP Event Collection Status: If you have set up and use HTTP Event Collector to monitor the progress of a token.