Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Why wildcard search is much slower than "where like(field, value)"?

$
0
0
I have two searches return the same result in my **single Splunk instance environment**, but there is huge performance different between two searches. **Searches:** 1. index=main sourcetype="aws:description" placement="us-west-2*" 2. index=main sourcetype="aws:description" | where like(placement, "us-west-2%") **Results:** 1. This search has completed and has returned 2,013 results by scanning 36,909 events in 35.372 seconds. 2. This search has completed and has returned 2,013 results by scanning 561,295 events in 11.913 seconds. The raw events are in JSON format. **placement** field has the values of us-west-2a, us-west-2b, and us-west-2c. The performance gap becomes even larger if there is larger data set. Could anyone explain why wildcard search is much slower? Is it always best practice to use where + like? Thanks!

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>