Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
bwalth01 Absent Member.
Absent Member.
568 views

Speeding up Logger Searches

Logger search performance seems to be getting progressively worse as we integrate more sources for events, or as time goes on, not sure which.

Other than running the Logger Database Defrag tool, what tips and tricks do you have for maintaining responsive searches?

The knowledge base discusses increasing time correction settings for searches over a small period of time - but I would assume that time correction would only reduce a potential search pool down by +/- 5 min. Searching over 7 days, that's irrelevant. See: https://arcsight.custhelp.com/cgi-bin/arcsight.cfg/php/enduser/prnt_adp.php?p_faqid=1462&p_created=1218165746&p_sid=vqmPrZzk&p_redirect=&p_li=

Labels (2)
0 Likes
Reply
2 Replies
Absent Member.. Dean Farrington Absent Member..
Absent Member..

Re: Speeding up Logger Searches

As you add more data sources it could be that you are increasing the volume of data you have to scan. This always impacts query speed.

Is the data Raw or CEF ? If the data is CEF format are you using indexed fields in your filters ? There is a performance tradeoff for adding more indexed fields, but if you routinely query an unindexed field that will impact your response times and it might be worth indexing. Make any indexing decisions carefully as you cannot remove indexing from a field once it is enabled.

0 Likes
Reply
bwalth01 Absent Member.
Absent Member.

Re: Speeding up Logger Searches

Yes - no amount of indexing is going to prevent more data causing more search time! Though using the tremendously unreliable metric of our own patience, we notice the increase more than we would have suspected.

CEF. We recently tried adding some fields to the indexing to alleviate the problem. It would be nice to be able to experiment with indexing and de-index fields, but that's how it goes. So far raw performance hasn't been an issue; we're happy to sacrifice some for better usability with our level of EPS. Do you know which process handles the increased indexing load? So far no single process is above 5% CPU usage - so lots of wiggle room there.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.