Splunk.com | SplunkBase | Support

Documentation: 3.1.4

| Print Version Contents

Getting Started
- About the getting started section
- Installation
- Start Splunk for the first time
- Administration Basics
- Change defaults
- Find and index data
- Add more users
- Start searching
How Splunk Works
- How Splunk Works
Configuring a Splunk Deployment
- About the deployment section
- Choose a Deployment Model
- Decide how Splunk should index your data
- Install Splunk on every host
- Configure the receiving servers
- Configure the forwarding servers
- Set up the deployment server
  - Configure the deployment server
  - Set up deployment classes
Data Inputs
- How input configuration works
  - Data input types
  - Indexing properties
- Configure inputs via SplunkWeb
- Configure inputs via the CLI
- Configure inputs via inputs.conf
  - Configuration
- Index SNMP events with Splunk
- Scripted inputs
  - Configuration
  - Example
- Add binary files
  - Configuration
  - Example
- log4j
  - External Links
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
- File whitelisting / blacklisting
Hosts
- How host works
- Set default host for a Splunk server
  - via SplunkWeb
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via SplunkWeb
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Set source type for an input
  - via SplunkWeb
  - via configuration files
- Set a source type for a source
  - via configuration files
- Train Splunk on a sourcetype
  - via the CLI
- Create an alias for a source type
  - via SplunkWeb
- Rule-based association of sourcetypes
Timestamp Recognition
- How Splunk recognizes timestamps
  - Timestamp precedence
  - Configuration files for timestamps
- Configure Splunk to recognize a timestamp
- Train Splunk to recognize timestamps
  - About training
  - via the CLI
- How to configure timezone offsets
- Tune Timestamping
  - Turn off timestamp lookahead
Events
- How events work
- Large events
- Multiline events
  - Configuration
  - Examples
- Mask sensitive data in an event
  - Configuration
- Character set
  - Character set specification
Event Types
- How event types work
- Save event types via SplunkWeb
  - Configuration
  - Example
- Tag event types
  - Configuration
- Configure auto-discovery
  - Configuration
  - Example
- Configure eventtypes.conf
Meta Events
- How meta events work
  - Transitive meta events
  - Configuration files for meta events
- Configure meta events
  - Configuration
  - Examples
Fields
- How fields work
- Create additional search fields
  - Configuration
  - Example
- Define additional extracted fields
  - Configuration
  - Example
- Field actions
  - Configuration
- Define extracted fields in meta events
  - Configuration
  - Example
Segmentation
- How segmentation works
  - Configuration files for segmentation
- Configure segmentation
- Enable custom segmentation
  - Configuration
  - Example
Saved Searches and Alerts
- How saved searches work
  - Saved searches
  - Alerting
- Set up saved searches
  - via SplunkWeb
  - via configuration files
- Set up alerts
- Send SNMP traps
  - Configuration
- Send syslog events
  - Configuration
  - Example
- Form searches
Authentication
- How authentication works
- SSL
  - Configuration
  - SSL for SplunkWeb
- Set up users
- Set up LDAP
Granular Access Control
- How Granular Access Control works
  - Configuration files for access controls
- Configure access controls
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure outputs.conf
  - Configuration
  - Optional attributes
- Set up routing
  - Configuration
  - Examples
- Route data to third-party systems
  - Configuration
  - Example
- Enable cloning
- Set up SSL
  - Forwarder
  - Receiver
- Set up data balancing
  - Configuration
  - Example
- Filtering and routing
  - Configuration
  - Example
- Route specific events to an alternate index
  - Configuration
  - Example
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via SplunkWeb
- Enable distributed search via the CLI
  - Configuration
- Configuration files for distributed search
- Users in a distributed search setup
- Exclude specific Splunk servers from distributed searches
Deployment Server
- How the deployment server works
  - Communication between deployment server and client
  - Configuration files for deployment server
- Configure a Splunk Deployment Server
- Configure deployment clients
  - Enable the client and server
  - Sync the server and client
- Configuration changes after initial deployment
- Using Splunk with 3rd Party configuration management systems
Index Management
- How Index Management Works
  - Data management
  - Configuration files for index management
- Add or Remove an index
  - Create an index
  - Delete an index
- Move an index
  - Configuration
- Disk usage
  - Set minimum free disk space
  - Set database size
- Set retirement policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Export event data
  - Export from the CLI
  - Export from the GUI
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Set up a WORM datastore
- Delete data from the index
  - Delete everything
  - Delete a subset of events
Bundles
- What are Bundles?
- How to create a bundle
- Configure bundles
  - Making a bundle
- Bundle directory structure
- Bundle precedence
- Bundle best practice
  - Testing bundles
SplunkBase
- Why use SplunkBase?
- Sharing add-ons on SplunkBase
- Finding and downloading add-ons on SplunkBase
  - Implementing add-ons from SplunkBase
- Looking up events on SplunkBase
  - Configuration
- Security and privacy considerations
- Control user access to SplunkBase
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
- Virtual machines
Routine Maintenance
- System backups
  - Backups in 3 Easy Steps
- Monitoring Splunk
  - via SplunkWeb
How-To
- Make SplunkWeb search faster
  - Enable core fields only
  - Disable related
  - Disable typeahead
- Harden a Splunk server
- Secure network connections
- Restore a failed server
- Change data policy to recover space
- Anonymize data samples
  - Simple method
  - Advanced method
- Public server setup
- Determine daily volume
- Determine what files Splunk will be tailing
  - Running listtails
- Set up auto-refresh
- Upgrade your license for more data
- How to use Splunk 2 Nagios
  - What Nagios logs
  - Install the Splunk2Nagios integration
- Restore a blocked license
- Customize the built-in help module
- Configure GUI Timeout
- Configure the Get Started module
- Disable SplunkWeb
  - Edit web.conf
  - Run the disable command
  - Re-enable SplunkWeb
- Configure OPSEC LEA Input
  - Installation
  - Checkpoint Modification
  - Configuration
- Place Splunk behind a web proxy
  - Scenario:
  - Solution:
- Cancel Search
- Strip syslog headers before processing
- Reconstitute Logs
  - Export event data
  - CLI search
- Enable HTTPS
  - configuration
- Estimate the size of your Splunk index and associated data
Troubleshooting
- Splunkd is down
- Splunk logfiles
- License issues
- Unable to get a properly formatted response from the server
- Contact Support
  - Work with Splunk Support
  - Log levels and starting in debug mode
Reference
- Splunk CLI
  - CLI commands
  - auth and uri parameters
  - Note for Mac users
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- Configuration file list
- access_controls.conf
  - access_controls.conf.spec
  - access_controls.conf.example
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- auth.conf
  - auth.conf.spec
  - auth.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- literals.conf
  - literals.conf.spec
  - literals.conf.example
- metaevents.conf
  - metaevents.conf.spec
  - metaevents.conf.example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
- props.conf
  - props.conf.spec
  - props.conf.example
- savedsearches.conf
  - savedsearches.conf.spec
  - savedsearches.conf.example
- segmenters.conf
  - segmenters.conf.spec
  - segmenters.conf.example
- server.conf
  - server.conf.spec
  - server.conf.example
- transforms.conf
  - transforms.conf.spec
  - transforms.conf.example
- user-seed.conf
  - user-seed.conf.spec
  - user-seed.conf.example
- web.conf
  - web.conf.spec
  - web.conf.example

This page last updated: 09/24/07 05:09pm

Make SplunkWeb search faster

If you find that your searches are not returning quickly enough, you can make a few changes to Splunk to return results faster in the UI. Here are a few things you can try:

Enable core fields only

You can change your searches to use core fields only. Core fields include only host: source: and sourcetype::. If you do not need any additional fields for your searches, turn core fields only on by selecting the Fields drop down menu from any search results page. Check the core only (faster searching) box:

Disable related

If you want to keep all your search and extracted fields, you can still increase your search time by turning off the Search for related events field action.

If you find that you are not using related events in your searches, you can use this method to vastly increase your search time.

Please note: this configuration still enables both search and extracted fields but does not support related events.

To make changes, edit SPLUNK_HOME/share/splunk/search_oxiclean/static/js/query.js.

Around line 750, you'll see the following three lines:

           if (componentClass=="resultsScrollerComponent" && !isReport) { 
               readLevel = (!isTurboOn && isVanillaSearch) ? 11 : 2; 
           }

Changing the 11 to a 3 will permanently disable the related processing from running, and therefore enable faster search results.

Disable typeahead

Typeahead is supposed to be restricted to your current timerange. Currently, however, this only works with absolute timeranges. If you have large datasets of days, months or years, typeahead can be very slow and unduly load the server.

The short-term fix is to disable typeahead altogether. To affect this change, edit SPLUNK_HOME/share/splunk/search_oxiclean/static/js/typeahead.js

Look for the string TypeAheadQuery.prototype.send. It is the first line of a function that's about 30 lines.

In the middle of this function, you will find the following code:

   if (selectionRange.startTime) { 
       qArgs['startTime'] = selectionRange.startTime.print(window.SEARCH_TERM_TIME_FORMAT); 
   } 
   if (selectionRange.endTime) { 
       qArgs['endTime'] = selectionRange.endTime.print(window.SEARCH_TERM_TIME_FORMAT); 
   }

Insert this new line right after the above block of code:

if (!selectionRange.startTime || !selectionRange.endTime) return false;

That will disable typeahead entirely unless you've clicked a bar in the timeline, or are using custom time.

Previous: Monitoring Splunk | Next: Harden a Splunk server

Comments

No comments have been submitted.

Log in to comment.