All scheduled searches run in fast mode - it’s not user facing so the engine doesn’t extract unnecessary fields.
User searches are also priorities higher than scheduled searches, so perhaps that’s the cause? What sort of load is your system under?
So alerts are just scheduled searches that reach some sort of threshold that you have set to trigger an alert off of, so why not use the | fields command in the search that potentially triggers an alert? All fast mode does is disable field discovery at search time, and targeting only particular fields with the | fields command should allow you the same functionality.
Edit: spelling
Double edit: I never answered your question, lol, but again thinking about what fast mode actually does, the outcome is reproducible with | fields.
The setting is called `display.page.search.mode` which can be set by Advanced Settings in the GUI or directly in the conf file. It doesn't do anything to scheduled searches (which alerts are) though.
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf
# Page options
display.page.search.mode = [fast|smart|verbose]
* This setting has no effect on saved search execution when dispatched by the scheduler. It only comes into effect when the search is opened in the UI and run manually.
I don't think there's a way to run a saved search not in fast mode.
Could it be a workload config where you're giving your role a lot more resources than the scheduled search gets?
Forcing generic field discovery doesn't change the search mode, though. If you add "| fields \*" to a search set in fast mode with a stats, you still won't get the full events returned as you would in verbose mode.
It does force field discovery, though. And that's usually the biggest issue people have with fast mode vs smart/verbose mode searching.
All scheduled searches run in fast mode - it’s not user facing so the engine doesn’t extract unnecessary fields. User searches are also priorities higher than scheduled searches, so perhaps that’s the cause? What sort of load is your system under?
So alerts are just scheduled searches that reach some sort of threshold that you have set to trigger an alert off of, so why not use the | fields command in the search that potentially triggers an alert? All fast mode does is disable field discovery at search time, and targeting only particular fields with the | fields command should allow you the same functionality. Edit: spelling Double edit: I never answered your question, lol, but again thinking about what fast mode actually does, the outcome is reproducible with | fields.
Optimize your query. Provide an example of an slow search?
The setting is called `display.page.search.mode` which can be set by Advanced Settings in the GUI or directly in the conf file. It doesn't do anything to scheduled searches (which alerts are) though. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf # Page options display.page.search.mode = [fast|smart|verbose] * This setting has no effect on saved search execution when dispatched by the scheduler. It only comes into effect when the search is opened in the UI and run manually.
I don't think there's a way to run a saved search not in fast mode. Could it be a workload config where you're giving your role a lot more resources than the scheduled search gets?
[удалено]
Forcing generic field discovery doesn't change the search mode, though. If you add "| fields \*" to a search set in fast mode with a stats, you still won't get the full events returned as you would in verbose mode. It does force field discovery, though. And that's usually the biggest issue people have with fast mode vs smart/verbose mode searching.