Optimize performance

Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

Before you begin, see Plan for field filters in your organization for important considerations about planning for field filters.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone.

If your organization uses downstream configurations, such as accelerated data models, Splunk Enterprise Security (ES) detections using those data models, and user-level search-time field extractions, make sure that you plan around the implications of field filters on those configurations before deploying field filters in your environment. See READ THIS: Downstream impact of field filters.

If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview and mstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

Performance considerations

Search performance is only impacted when a field filter is actually applied to a search or when a search is run against indexes that have field filters. In these cases, field filters affect the performance of searches to some extent because of the extra processing overhead required to filter fields. As you plan how you will deploy field filters in your organization, keep the following performance considerations in mind:

  • Minimize the number and complexity of field filters. The total number of field filters in your environment should not exceed 5,000.

  • Limit each field filter to a specific target index, host, source, or source type.

Minimize the number and complexity of field filters

The performance impact of field filters depends on how each field filter is defined and how many there are. Search performance degrades as you increase the number and complexity of field filters. A few simple field filters that don't use sed expressions or SHA hash functions have minimal performance impact on searches, similar to that of filters with the eval command.

Limit each field filter to a specific target index, host, source, or source type

For optimal performance, limit each field filter to a specific target index, host, source, or source type when you create your field filter in Splunk Web, which avoids performance impacts on unrelated search results. For example, if you don't specify a host limit on a field filter, the field filter will be applied to all hosts in search results, which will result in inefficient searches. You must specify at least one target index when setting up your field filter. See Optimize field filter performance using Splunk Web.

Next step

Next, plan for upgrade and migration considerations. See Upgrades and migration.