Splunk Search Modes

Splunk Search Modes

Currently, Splunk offers three search modes, a setting that optimizes your search performance by regulating the size or type of data that the search returns.

The Splunk Search mode has three variations: Fast, Smart and Verbose. You can choose any of the modes from the Search Mode selector to have a search experience that fits your criteria.

Search Mode Selector: The search mode selector is on the right side of the Search bar, beneath time range picker. By default, it operates in the Smart Mode.

Capturevhiahv

NOTE: It Depends on the mode you set, you can see all the data available for your search but it may cost your search time, or you can speed up your searches in certain other ways. The Smart mode(default) switches between the Fast and Verbose modes automatically depending on the type of search(SPL) that you are running.

The Fast mode

This search mode prioritizes the performance of the search, doesn’t return any nonessential field or event data, focuses only on returning what seems to be essential. Key factors of fast mode:

  • Disabled field discovery – Field discovery is the name of the process which Splunk uses to extract fields aside from default fields such as host, source, and sourcetype. Splunk only returns the information related to default fields and fields that are needed to meet your search/query. If you are performing searches on specific fields, those fields are extracted.
  • Only depicts search results as tables or visualizations when you run a transforming/reporting search. (see, Types of commands in Splunk)

The Smart mode

Every report runs in this mode, the default search mode after they are created. Smart mode is designed to return the best results for whatever search or report you are running. If you search on events, you get all the event information you require. If you run a transforming search, Splunk takes you straight to the report result table or visualization.

NOTE: A Smart mode search that does not include any transforming commands, behaves as the Verbose mode and a Smart mode search that includes transforming /reporting commands, behaves as the Fast mode.

The Verbose mode

This mode returns all of the field and event data that is possible, no matter how long the search takes to complete, even if the search includes reporting/transforming commands.

  • All field Discovery – Every field is discovered, including default fields, automatic search-time field extractions, and all the user-defined index-time and search-time field extractions.
  • Event list view of results and the search timeline generation – It can also generate report tables and visualizations if your search includes transforming commands.

NOTE: Your reports can’t benefit from report acceleration if you run them in Verbose mode. All the reports for which you have enabled report acceleration, use smart mode, thus, be aware that if you switch the mode of the search to Verbose it will become slower. In some cases, you may want to use the Verbose mode if you are using a transforming search but are not exactly sure what fields you need, or if you need to verify that whatever you are working upon is the correct set of events.

Thanks for reading…

Happy Splunking!!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.