Looking to speed up search queries. Upon looking at search.log, it is apparent that Splunk is attempting to extract or pull data from other source types from the one specified within the search.
For Example (this is with dummy data for explanation):
Verbose/Fast search on sourcetype = abc
Proper events are returned.
Inspect Job and look into search.log, many outside sourcetypes and stanzas are referenced in the following ways.
CalcFieldProcessor - Found valid eval expression for field 'type' in stanza [randomstanza]': "config"
CalcFieldProcessor - Found valid eval expression for field 'field2' in stanza [randomstanza]': "fieldtwo"
SearchOperator:kv - name=example_header, can_use_jit=1, regex: ^(#)
If I am to delete the sourcetype/app and restart the search head, this issue does not occur. Hoping someone can shed some light on this subject, also if anyone needs any clarification, would be much appreciated.
Thanks in advance!
I can't post links, but would like to reference something similar which did not appear to be resolved within the question below.
'Is Splunk extracting unnecessary fields?'
↧