Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Unindexed searches causing slow searches and poor performance on DS (All versions) server

Last updated Jun 14, 2021

The purpose of this article is to provide assistance if you have unindexed searches that are causing slow searches and poor performance on the DS server. Other symptoms may include high CPU usage when searching.


1 reader recommends this article

Symptoms

An entry similar to the following is shown in the access log (located in the /path/to/ds/logs directory where DS is installed):

{"eventName":"DJ-LDAP","client":{"ip":"198.51.100.0","port":8443},"server":{"ip":"198.51.100.0","port":1636},"request":{"protocol":"LDAPS","operation":"SEARCH","connId":159078,"msgId":154,"dn":"ou=groups,dc=AMusers","scope":"wholeSubtree","filter":"(memberUid=JDoe)","attrs":["1.1"]},"transactionId":"0","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":11999,"elapsedTimeUnits":"MILLISECONDS","additionalItems":" unindexed","nentries":0},"timestamp":"2021-07-21T15:04:51.850Z","_id":"e3a44b25-4800-8cfa-1bad-6e2bb6461607-38233"}

where the search is shown as unindexed and has a high elapsedTime value; elapsedTime values should typically be 2 or 3.

Alternatively, an entry may show with a high elapsedTime without stating it is unindexed:

"response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":1187,"elapsedTimeUnits":"MILLISECONDS","nentries":1},"timestamp":"2021-07-21T15:04:51.850Z","_id":"e3a44b25-4800-8cfa-1bad-6e2bb6461607-38233"}

Unindexed only appears in the access log if no indexes were used to process the search, but the high elapsedTime still suggests a partially unindexed search.

Recent Changes

N/A

Causes

Indexes improve search performance based on search filters. DS comes with a set of standard indexes for commonly used attributes, such as givenName, to improve searches that include this attribute. When an attribute is included in a search that has not been indexed, the search takes a lot longer (reflected in the high elapsedTime value). 

Solution

This issue can be resolved by creating and building an index for the affected attribute. In the first example log entry, the affected attribute is memberUid, so you would need to create and build an index for this attribute.

If a search filter includes multiple attributes and you are unsure which attribute is unindexed, you can use the debugsearchindex option with the ldapsearch command to find out how DS would process the search (rather than actually performing the search) and identify any unindexed attributes. See the debugsearchindex example in How do I troubleshoot issues with my indexes in DS (All versions)? for further information.

See Indexes and How do I know what index types are needed for search filters in DS (All versions)? for further information on creating and building indexes.

Caution

You should only create and build indexes for attributes that are repeatedly causing high elapsedTimes and are included in your search filters as too many indexes can actually be detrimental to performance, especially if they are unused.

See Also

How do I troubleshoot issues with my indexes in DS (All versions)?

How do I rebuild indexes in DS (All versions)?

How do I know what index types are needed for search filters in DS (All versions)?

Indexes

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.