Splunk Query Optimization
Hello Everyone,
I am learning to document and this would be my first article.
Why are we looking to optimize query:
Any query to humans reamains quick and crisp sometime. They may be relevant and some time few useful information and may be sometimes, when similar mind speaks, they are right to the point.
Now similar thing happens when a humans query to machines.
Who requires optimization?
1. Novice/New learner
They are learners and try to find all possible answer that can satisfy their work or themself.
2. Advanced users
This is typically required when we miss to notice minor keywords when writing query.
How can we optimize our Splunk query:
Splunk has many moving parts and querying just like anything would be catching up a fish in lake/ocean.
Lets get started:
You need to know and reacall components from architecutural point of view too. Each section are interconnected and you have to co-relate before running query.
A. What output you requre?
When you are only randomly looking for keyword, you can just put keyword in search bar and it is done.. You will get all possible matches from different sources, different indexs
Query:
[index=*' 'hello world!'
Query:
[index=symantec sourcetype=json | list stats]
A. Splunk components used when query is executed:
1. Search Head,
2. MasterNode
3. Indexers
4. SourceType
5. Indexes
B. Is enviornment muti-cluster or single cluster?
If enviornment is multi-cluster, if No, then run you first query to which ever search head you have access to.
If enviornment is multi-cluster, if Yes, so you need to see, where is the data aggregration is happening. This data aggregration may be split into geo-location based or may be other factors including political.
C. You ne
Some parameters for your query:
I am learning to document and this would be my first article.
Why are we looking to optimize query:
Any query to humans reamains quick and crisp sometime. They may be relevant and some time few useful information and may be sometimes, when similar mind speaks, they are right to the point.
Now similar thing happens when a humans query to machines.
Who requires optimization?
1. Novice/New learner
They are learners and try to find all possible answer that can satisfy their work or themself.
2. Advanced users
This is typically required when we miss to notice minor keywords when writing query.
How can we optimize our Splunk query:
Splunk has many moving parts and querying just like anything would be catching up a fish in lake/ocean.
Lets get started:
You need to know and reacall components from architecutural point of view too. Each section are interconnected and you have to co-relate before running query.
A. What output you requre?
When you are only randomly looking for keyword, you can just put keyword in search bar and it is done.. You will get all possible matches from different sources, different indexs
Query:
[index=*' 'hello world!'
Query:
[index=symantec sourcetype=json | list stats]
A. Splunk components used when query is executed:
1. Search Head,
2. MasterNode
3. Indexers
4. SourceType
5. Indexes
B. Is enviornment muti-cluster or single cluster?
If enviornment is multi-cluster, if No, then run you first query to which ever search head you have access to.
If enviornment is multi-cluster, if Yes, so you need to see, where is the data aggregration is happening. This data aggregration may be split into geo-location based or may be other factors including political.
C. You ne
Some parameters for your query:
1. Time range
2. Keyword (multi-keywor)
3. SourceType
4. Use of Operators (AND, OR, & NOT)
For More help you have always :
Comments
Post a Comment