Splunk 简明教程

Splunk - Search Optimization

Splunk 已包含优化功能、分析并处理您的搜索以获得最高效率。这种效率主要通过以下两个优化目标实现 −

Splunk already includes the optimization features, analyses and processes your searches for maximum efficiency. This efficiency is mainly achieved through the following two optimization goals −

  1. Early Filtering − These optimizations filter the results very early so that the amount of data getting processed is reduced as early as possible during the search process. This early filter avoids unnecessary lookup and evaluation calculations for events that are not part of final search results.

  2. Parallel Processing − The built-in optimizations can reorder search processing, so that as many commands as possible are run in parallel on the indexers before sending the search results to the search head for final processing.

Analysing Search Optimisations

Splunk 为我们提供了分析搜索优化如何运作的工具。这些工具帮助我们找出如何使用过滤器条件以及这些优化步骤的顺序。它还告诉我们搜索操作中涉及各种步骤的成本。

Splunk has given us tools to analyse how the search optimization works. These tools help us figure out how the filter conditions are used and what is the sequence of these optimisation steps. It also gives us the cost of the various steps involved in the search operations.

Example

考虑一个搜索操作,以查找包含以下单词的事件:失败、已失败或密码。当我们将此搜索查询放在搜索框中时,内置优化器会自动采取行动,确定搜索路径。我们可以验证搜索需要多长时间才能返回特定数量的搜索结果,如果需要,我们可以继续检查优化中的每一个步骤及其相关的成本。

Consider a search operation to find the events which contain the words: fail, failed or password. When we put this search query in the search box, the built-in optimizers act automatically to decide the path of the search. We can verify how long the search took to return a specific number of search results and if needed can go on to check each and every step of the optimization along with the cost associated with it.

我们遵循 Search → Job → Inspect Job 路径才能获取以下详细内容:

We follow the path of Search → Job → Inspect Job to get these details as shown below −

image::https://www.iokays.com/tutorialspoint/splunk/_images/search_optimisastion_1.jpg [Search Optimisastion1]

下一个屏幕提供上述查询中发生的优化的详细信息。在这里,我们需要记录事件数和返回结果所需的时间。

The next screen gives details of the optimization that has occurred for the above query. Here, we need to note the number of events and the time taken to return the result.

image::https://www.iokays.com/tutorialspoint/splunk/_images/search_optimisastion_2.jpg [Search Optimisastion2]

Turning Off Optimization

我们还可以关闭内置优化并注意搜索结果所需时间中的差异。结果可能优于或劣于内置搜索。如果它更好,我们总是可以选择关闭仅针对此特定搜索的优化。

We can also turn off the in-built optimization and notice the difference in the time taken for the search result. The result may or may not be better than the in-built search. In case it is better, we may always choose this option of turning off the optimization for only this specific search.

在下图中,我们使用 No Optimization 命令,它显示为 noop 搜索查询。

In the below diagram, we use the No Optimization command presented as noop in the search query.

image::https://www.iokays.com/tutorialspoint/splunk/_images/search_optimisastion_3.jpg [Search Optimisastion3]

下一个屏幕向我们展示了不使用优化的结果。对于此给定查询,未经内置优化,结果会更快。

The next screen gives us the result of using no optimization. For this given query, the results come faster without using in-built optimizations.

image::https://www.iokays.com/tutorialspoint/splunk/_images/search_optimisastion_4.jpg [Search Optimisastion4]