Spread our blog

Hi Guys !!

Today we will show you the usage of noop command.

Definition of noop command:

The noop command is an internal command, which is used to debug the searches. It also includes several arguments that we can use to troubleshoot search optimization issues.

Syntax of noop command:

| noop  [search_optimization = <boolean>] [search_optimization.<optimization_type> = <boolean>]  [NO REQUIRED ARGUMENTS]

search_optimization:[ search_optimization = <boolean>]: It enables or disables all optimizations for the search. The default value is true.

optimization_type: search_optimization.<optimization_type> = <boolean>: Enables or disables a specific type of search optimization for the search. The default value is true.

NOTE: To see the list of optimization_type arguments.

Click on the below link:

”Optimization Type ”

Usage of noop command:

Here, we will show you how noop command handles search optimization.

By default, search optimization is enabled in Splunk under limits.conf file. Enabling or disabling search optimizations can help us troubleshoot some kinds of search issues. For example, we might need to experiment with disabling and enabling search optimizations to determine whether they are causing a search to be slow to complete.

So, let’s see how the noop command interoperates with limits.conf search optimization settings. To understand this consider the below points:-

  1. So, let’s say, the [search_optimization] stanza is set to enabled=true in limits.conf, the search processor checks whether individual optimization types of search_ optimization are enabled or disabled in limits.conf.
  2. If the [search_optimization] stanza is set to enabled = false, the search processor ignores the settings for other optimization types. It assumes all of the optimization types are set to enabled=false.
  3. For example, we have the following configuration in limits.conf:
[search_optimization]
enabled= false
[search_optimization::replace_table_with_fields]
enabled= false

With this configuration, the search processor ignores the disabled replace_table_with_fields, because [search_optimization] is disabled, the search processor assumes all optimizations are disabled.

You can also know about :  O365 Integration With Splunk

Say, in this case, if we run the following search, which uses the noop command to enable search optimization:

.... | noop search_optimization=true

Using this, the search optimization will be enabled, but the search processor sees that in limits.conf, the “replace_table_with_fields” optimization is disabled. It runs the search with all optimization types enabled except “replace_table_with_fields”.

So, if you want to enable “replace_table_with_fields” as well with noop command, you need to use the below command,

.... | noop search_optimization=true search_optimization.projection_elimination=true

When this search runs, it overrides both limits.conf settings: the setting for [search_optimization] and the setting for [search_optimization:: replace_table_with_fields]. The search runs with all optimizations enabled.

Same way, If the [search_optimization] stanza is set to enabled = true, or the optimization types are set to enabled = true, which is the default value, we can use

…. | noop search_optimization=false to disable all the option of the search optimization

OR

…. | noop search_optimization=true search_optimization.< optimization_type >=false, to disable particular type of the search optimization.

For more search optimization types, please go through the below document.

https://docs.splunk.com/Documentation/DFS/1.1.2/DFS/Limitsconf

With the below configuration in limits.conf, we will show you three examples.

[search_optimization]
enabled = false

[search_optimization::replace_table_with_fields]
enabled = false

By default, both are true, so to use this above configuration, we have used limits.conf under $SPLUNK_HOME/etc/system/local and restarted Splunk after the changes.

Example 1

Step 1:

Please, see the below query,

index=_* OR index=* 
| stats count by index,sourcetype,source 
| table index,source,sourcetype,count

Step 2:

Explanation:

Now, we will click on “Job”>> “Inspect Job”.

Step 3:

Explanation:

Here, you can see the time took to complete the search. Now, We will click on the search.log to check optimization setting.

You can also know about :  Data Model In Splunk (Part-I)

Step 4:

Explanation:

Here, we can see the logs which says the “Search_optimization” have been disabled in limits.conf. Set enabled=true in [search_optimization]

Example 2:

Step 1:

Please, see the below query,

index=_* OR index=* 
| stats count by index,sourcetype,source 
| table index,source,sourcetype,count 
| noop search_optimization=true

Explanation:

Here, with the query we have used | noop search_optimization=true. As, in limits.conf “search_optimization” is enabled = false, using | noop search_optimization=true overriding is overrding the limits.conf value for “search_optimization”.

But, as search_optimization::replace_table_with_fields is enabled = false in limits.conf, this can’t be overridden with | noop search_optimization=true.

Step 2:

Explanation:

Now, in “Job”>> “Inspect Job”, we can see the time took to complete the search. Now. We will click on the search.log to check optimization setting.

NOTE:

As, you can see the time taken to complete this query is more than previous query, this is because the number of events also increased, the search is actually optimized. THIS IS APPLICABLE FOR ALL EXAMPLES WHERE WE WILL SHOW YOU NOOP COMMAND USAGE FOR SEARCH OPTIMIZATION.

Step 3:

Explanation:

Here, in search.log as you can see the

“Search optimization force enabled using ‘|noop search_optimization=t’”.

Also, you can see, “Search optimizations have been disabled in limits.conf. Set enabled=true in [search_optimization::replace_table_with_fields]”

Example 3:

Step 1:

Please, see the below query,

index=_* OR index=* 
| stats count by index,sourcetype,source 
| table index,source,sourcetype,count 
| noop search_optimization=true search_optimization.replace_table_with_fields=true

Explanation:

Here, with the query we have used | noop search_optimization=true search_optimization.replace_table_with_fields=true, which is overriding the limits.conf enabled = false value of search_optimization::replace_table_with_fields to true.

Step 2:

Explanation:

Now, in “Job”>> “Inspect Job”, we can see the time took to complete the search. Now. We will click on the search.log to check optimization setting.

You can also know about :  Usage Of Splunk Commands : Join

NOTE:

As, you can see the time taken to complete this query is more than previous query, this is because the number of events also increased, the search is actually optimized. THIS IS APPLICABLE FOR ALL EXAMPLES WHERE WE WILL SHOW YOU NOOP COMMAND USAGE FOR SEARCH OPTIMIZATION.

Step: 3

Explanation:

Here, in search.log as you can see the

“Search optimization force enabled using ‘|noop search_optimization=t’”.

Also, you can see, “Search optimization force enabled using ‘|noop

 search_optimization::replace_table_with_fields=t’

Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.

Happy Splunking !!

What’s your Reaction?
+1
+1
+1
1
+1
+1
1
+1
1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here