Doing so takes advantage of newer tsidxfile formats for metrics and log events that decrease storage cost and increase.
Finally, you can also update the tsidxWritingLevel to 3 in the nf file in Splunk Enterprise version 7.3.x and higher. In Splunk Enterprise version 7.2.x and higher, using the zstd compression algorithm in the nf file, rather than gzip, also makes buckets smaller, thereby increased search speed. Doing so reduces bucket size but increases CPU usage. If you never use the TERM directive, you can turn off the major breakers in your nf file by moving all the minor breakers to the major breakers field in the section of this configuration file. The base search, which can contain the index and other costly functionality, only needs to run once, which speeds up the search overall. When the token is in a child search, only the child search is updated as the token input changes. Searches saved in dashboards can use tokens to allow users to switch between commands.
Review the safeguards for risky commands in the Splunk Enterprise Securing Splunk Enterprise Manual. Review the indexing performance dashboards to identify any issues or load in a particular pipeline. Review the data quality dashboards to identify and resolve data quality issues. PREFIX matches a common string that precedes a certain value type. However, if you are on 8.0 or higher, you can use the PREFIX directive instead of the TERM directive to process data that has not been indexed while using the tstats command. The limitation is that because it requires indexed fields, you can't use it to search some data. The tstats command performs statistical queries on indexed fields, so it's much faster than searching raw data. You can use the TERM directive when searching raw data or when using the tstats command. If you aren't sure what terms exist in your logs, you can use the walklex command (available in version 7.3 and higher) to inspect the logs. Searching for TERM(average=0.9*) searches for average=0.9*. For example, searching for average=0.9* searches for 0 and 9*. Major breakers, such as a comma or quotation mark, split your search terms, increasing the number of false positives. The computational effort of a search is greatest at the beginning, so searching across all indexes (index=*) slows down a search significantly. Select an index in the first line of your search.The Indexing performance: Deployment and Indexing performance: Instance dashboards show indexing performance across the deployment. If you have a search head cluster, the Search head clustering Scheduler delegation dashboard deals with how the captain orchestrates scheduler jobs. The Scheduler activity: Deployment dashboard shows information about the past executions of scheduled searches, and their success rates. The Search activity: Instance and Search activity: Deployment dashboards show search activity across your deployment with detailed information broken down by instance.
You can interpret results in these dashboards to identify ways to optimize and troubleshoot your deployment. You can modify existing health checks or create new ones. The Monitoring Console comes with preconfigured health checks in addition to platform alerts. Use the Monitoring Console dashboards to determine if any searches have performance issues that need attention.