Hey Everyone,
I'm having a bit of trouble with Splunk search performance, I currently have around 1 million rows of logs, each row approx 1kb wide that conforms to the following pattern:
SomeKey1="stringdata" SomeKey2="stringdata" SomeKey3="stringdata" KeyID="UniqueNumericID"
When I do a search on this data using a simple search query such as:
search sourcetype=sourcetypeid KeyID="1"
It takes up to 20-30secs to return the single matching event on a dedicated server (quad core xeon, 16gb ram, SATA3 SSD) using either the GUI or via the REST API. After inspecting many similar queries jobs, the largest consumer of time seems to be dispatch.fetch / dispatch.stream.local, when you take into account that I need to do this similar queries very often and programmatically, I assume the best thing to do would be extract the KeyID field at index time, would this drastically improve the search speed? Are there any other pitfalls that I may have missed?
Thanks in advance..