Data Management

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Documentation

Data Management

Data Management Contents

Get Started

Get Data In

Transform and Route Data

Monitor and Troubleshoot

Monitor Data in Splunk Cloud Platform

Use Clould Monitoring Console

Data Sources

Integrate Data with Add-Ons

Forward Data

Ingest Data from Cloud Sources

Collect HTTP Event Data

Connect Relational Databases

Collect Stream Data

Data Transformation

Process Data at the Edge

Process Data at Ingest Time

Perform Basic Data Processing

Common Information Model

Data Destinations

Archive Data in Splunk Cloud Platform

Manage Splunk Enterprise Indexers

Splunk Cloud Platform Admin Manual

Splunk Enterprise Admin Manual

Splunk Validated Architectures

Analyze expensive searches

The CMC Expensive Searches dashboard provides information to Splunk Cloud Platform administrators on searches that are high consumers of your Splunk Cloud Platform resources. Use this dashboard to determine if these expensive and possibly inefficient searches are worth their cost.

Review the Expensive Searches dashboard

This dashboard provides four panels of data regarding expensive and inefficient searches. Set a time range to filter the results.

To investigate your panels, go to Cloud Monitoring Console > Search > Expensive Searches. Use the following table to understand the dashboard interface.


Panel or Filter	Description
Time Range	Set the time range for the data display.
Maximum Runtime Searches	Shows a line graph of search duration in seconds over time, comparing maximum ad hoc searches against scheduled searches.
Top 20 Most Memory Consuming Searches	Shows a table that lists the following: Splunk platform instance label Provenance Percentage memory used (KB) Search duration and start time and date Search type, mode, and app User name and role
Top 20 Most Expensive Ad Hoc Searches	Shows a table that lists the following: Search time User Time range start and end Search duration and result count Memory usage (KB) Total number of events scanned Search query
Top 20 Most Expensive Scheduled Searches	Shows a table that lists the following: Search time User Scheduled time Status Search duration and result count Memory usage (KB) Saved search name
Potentially Inefficient Searches	Shows a table that lists the following: User Search Processing Language (SPL) Events scanned Search time range in days Search duration Splunk query score: A calculated number based on weighted indicators within an SPL string. A high score indicates a very inefficient search. Potentially inefficient behavior: Shows the indicators within an SPL string that reduce search efficiency.

Interpret expensive searches results

When interpreting your expensive searches results, note the following:

After you identify the expensive and inefficient searches in your deployment, collaborate with users to improve the queries, using the information in the Write better searches topic in the Splunk Cloud Platform Search Manual.
Review the score range of your searches using the Splunk Query Score column in the Potentially Inefficient Searches panel, and optimize searches that received a high score as soon as possible.

Last updated: May 28, 2025

Explore Topics

Splunk Observability Cloud

Splunk IT Service Intelligence

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

AppDynamics SaaS

About This Site

Community Support

Supported Add-ons

©2005-2025 Splunk Inc. All rights reserved.