I understand in Splunk that multisearch allows multiple searches to run in parallel. However, it's only for streaming searches. Is there a similar command or way to run non-streaming searches in parallel?
Asked
Active
Viewed 407 times
2
-
What, exactly, are you trying to accomplish? – warren Jul 21 '22 at 22:13
1 Answers
0
Non-streaming commands, by definition, run on the Search Head that initiated the search - and nowhere else.
They're typically expected to run after all the streaming searches have happened, for any finalization/manipulation of the returned data from all Search Peers running the search
If you run non-streaming commands earlier than necessary in your SPL, you will slow the search down (potentially very dramatically)
Using the Splexicon example cited above, if you run a sort "early" (eg before stats), you force the initiating Search Head to do all of the data processing, instead of merely collating what every eligible Search Peer has preprocessed into a final resultset
warren
- 32,620
- 21
- 85
- 124