![]() I wouldn't worry about the number of records scanned, if they both got identical results, but I'd make sure the time frames and output results were identical before assuming the code was working apples-to-apples. If the stats command is used without a BY clause, only one row is returned, which is the aggregation over the entire incoming result set. Check the results against each other and make sure they came out identical. Calculates aggregate statistics, such as average, count, and sum, over the results set. You can view a snapshot of an index over a specific timeframe, such as the last 7 days, by using the time range picker. The metadata command returns information accumulated over time. (50k?)įootnote 2 - use at the end of your earliest and latest to make sure the two timelines are exactly the same. The metadata command returns a list of sources, sourcetypes, or hosts from a specified index or distributed search peer. Depending on the size of your Json records this may or may not need to be modified. You can increase this limit in the Splunk properties files. It is a transforming command which has a natural limit on how many results it will allow. By default Splunk limits messages to 10,000 bytes (characters). Click New Index and you will encounter a dialog like the example shown here. Using streamstats to get neighboring values As an alternative to MLTK, I use streamstats to mimic how Ias an analystinvestigate an alert. From under the Data menu, select Indexes. If identity data in Splunk for different types of users is high quality, reflects different usage patterns, and there are less than 1024 of them then MLTK may be the direction to go. From the Splunk Web navigation menu, select Settings. ![]() Then do whatever makes sense.įootnote: Be careful of table. Add the events index to contain the audit device log data. For overall throughput, slightly more CPU time but all of it on the indexers is far better than slightly less CPU time all on the search head. They are close enough in overall performance that you can go either way and no one will say "Boo" bout it.Ĭheck the details of the run and see how much of that time is on the indexers and how much on the search head. The default event size limit is 10000 characters. So, given your results, it looks like the results are in alignment with my expectations - dedup is slightly less efficient, as expected, but only slightly so. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |