I performed the exact same search (index=|head 2000000|stats count) on the same indexer against THREE different indexes: fictionaldata, main, udp_syslog
The results were:
fictionaldata: 3.444 seconds
main: 70.491 seconds
udp_syslog: 3.852 seconds
What is going on with main? How can i troubleshoot the performance difference where the primary difference is the target index?
It is probably worth disclosing that main is larger than the other 2 indexes: 8GB vs 500MB- but all have > 2,000,000 rows.
I should also disclose that main has many more field extractions defined... but a 20x performance difference is simply shocking!
Splunk Enterprise Server 6.5.0
Linux, 12 GB RAM, 6 CPU Cores
↧