Skip to main content

Optimizing search in Splunk Cloud

  • Updated

Note: This article only applies to Splunk Cloud.

Splunk works fine out of the box. As you increase load on your system, though, you'll want to get familiar with ways to enhance its ability to handle that load. We’ll show you how to identify the cause of slow searches and review possible trouble spots in your deployment.

How search optimization helps you do more with less

Slow searches can be caused by inefficient search practices, but they can also be caused by poor data quality. You can find remarkable performance improvements when you resolve things like the incorrect event breaks and time stamp errors in the data. Inefficiencies like these can cause indexers to work overtime both when indexing data and finding the search results. If your searches run more efficiently, they also run faster and complete sooner. Which means the system can handle more of them in the same time!

Things to know

Use Splunk Cloud Monitoring Console (CMC) dashboards to determine if any searches have performance issues that need attention. The CMC enables you to monitor Splunk Cloud deployment health and to enable platform alerts. You can modify existing alerts or create new ones. You can interpret results in these dashboards to identify ways to optimize and troubleshoot your deployment.

  • Search Usage Statistics: This dashboards shows search activity across your deployment with detailed information broken down by instance.

  • Scheduler Activity: This dashboard shows Information about scheduled search jobs (reports) and you can configure the priority of scheduled reports.

  • Forwarders: Instance and Forwarders: Deployment: These dashboards show information about forwarder connections and status. Read about how to troubleshoot forwarder/receiver connection in Forwarding Data.

Things to do



Related articles

Comments

0 comments

Article is closed for comments.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.