Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Looking through their site it looks like a Splunk search (or a query) can include a large set of non-trivial, CPU intensive operations. Therefore, perhaps, it is a process that does not lending itself well to multithreading: http://splunk-base.splunk.com/answers/12027/singlemulti-thre...


That's true as far as it goes.

Nevertheless, I believe that there are opportunities for query multithreading that aren't being taken.

For example, a query like this appends the second query results to the first, and the graphs both:

sourcetype="blah" | search blahblah | eval series="label1" | append maxtime=600 [search anotherlongsearch | eval series="label2" ] | timechart count(somefield) by series

There is no reason why that second search couldn't be executed simultaneously, and that would approximately half the time for the whole query to run (assuming sufficient CPU power etc).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: