SplunkのData Model Accelerationは何故早いのか

Transcript

1. © 2018 SPLUNK INC. © 2018 SPLUNK INC. Data Model

   Acceleration   Senior Sales Engineer 2019.07.06 Ver0.2

2. © 2018 SPLUNK INC. 
     .C 

    @A024 # "$6   
     !E3 # # "$/;   =Authentication# *#+
   
    # "$172 &+%-D
   9B)8 &+% ?: (,$# "$/;5<4 
    ># "$Authentication'"$

3. © 2018 SPLUNK INC. 
     Pivot# " $ (=)

   !

4. © 2018 SPLUNK INC. ▶ ,4) • +4)4('#:6A<(&.(2@ -1(.tsidx*2)EC •

   -1indexbucket=?N  • -17;UQ> -1TRM J -1307;UPO • (&.(2$03!/4D@85 -1@#)3"LKG?(& .(29C@1%#FSHB ▶ I   • _raw
   .tsidx  ””         .'+*,.)- !&.#+(.!.$  

5. © 2018 SPLUNK INC. :8'+(.tsidx%,)/= #!(#, *-).10 .tsidx2&.!64?> rawdata 

     5 <  3;"10 .tsidx2$-97 RawData          

6. © 2018 SPLUNK INC.    
   #! 
   "#!

     
    *%($# +) ($ . "'&0/ 
    • 100% 
   21($ # +)  •  46.12MB- , !

7. © 2018 SPLUNK INC. 
    VS 
    " 5/ #$-6

   0Authentication2 0Authentication!1' 
   +%)$  ,* )$2 (&43  
    19.202. 
    4.633.

8. © 2018 SPLUNK INC. * '    @=+

   E/BC46'(Linux
   windows
   vpn )< %&+
   46?> &#<1  CIM
   ;D Datamodel9, | datamodel *A+ !(3/246' Datamodel8 )
   $  Datamodel *A+ %( :@+
   *A(tstats) 8 )F | tstats !(3/246' Datamodel8
   SPL !) 
   $  Datamodel *A+ %( :@+
   Pivot-78 & #5. | pivot
   "-7 0 ,$( '#
    "( ( ) I M f e f e fd C M d

9. © 2018 SPLUNK INC. |datamodel
    
   
     

     |datamodel Authentication search | search

10. © 2018 SPLUNK INC. |tstats
     Datamodel  
    

    |tstats summariesonly=true count from datamodel=Authentication groupby Authentication.user

11. © 2018 SPLUNK INC. stats VS tstats VS tstats(summariesonly=t) Firewall

     
    !  • 0.299
    • tstats summariesonly=t • ! $ • 4.239
    • tstats summariesonly=f • 
    #"_raw
      • 28.966
    • stats

12. © 2018 SPLUNK INC. ▶ #&
     $"%!& *  https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Aboutsummaryindex

    ing ▶ PIVOT vs DATAMODEL vs TSTATS (by Splunk Answers) https://answers.splunk.com/answers/330264/pivot-vs-datamodel-vs-tstats.html ▶   ' How Search Works - $$
    TSIDX
    TERM + () https://www.slideshare.net/takashikomatsubara50/how-search-works-tsidxterm