https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60775#M12087 <P>Can you paste the exact search you're using? </P> <P>In a nutshell, if Splunk is having to read all the data off disk, then the most likely reason is that your searchterms are either not in the initial search clause... ie you're doing something like </P> <PRE><CODE>`sourcetype=foo | &lt;some other command(s)&gt; | search &lt;searchterms&gt;` </CODE></PRE> <P>Then there are a lot of other strange possibilities, like, to take a random example, you could have a <CODE>foo="bar"</CODE> term, and you could have it in the initial search clause, but then for some reason something could have configured INDEXED_VALUE in fields.conf to be false for that field. </P> <P>In any event, without seeing the search it's hard to speculate on the answer, but there most likely is an answer, and it's probably fixable. </P> Sat, 26 May 2012 05:11:38 GMT sideview 2012-05-26T05:11:38Z https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60773#M12085 <P>I run a python script to get data into an indexer from mdb files, this basically creates events with source, host, sourcetype and raw data. We are almost always concerned with only reporting on the raw data. millions of rows are generated in csv format and I have created custom fields within the raw data with splunk having no problem identifying those.</P> <P>The issue is doing a search to find 2 distinct values in those 12 million + rows takes forever, it parses all 12 million rows before returning the values. </P> Fri, 25 May 2012 16:51:50 GMT https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60773#M12085 Cuyose 2012-05-25T16:51:50Z https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60774#M12086 <P>What is the keyword you are searching and exact query? How often does it exist in the raw data?</P> Fri, 25 May 2012 18:12:42 GMT https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60774#M12086 Simeon 2012-05-25T18:12:42Z https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60775#M12087 <P>Can you paste the exact search you're using? </P> <P>In a nutshell, if Splunk is having to read all the data off disk, then the most likely reason is that your searchterms are either not in the initial search clause... ie you're doing something like </P> <PRE><CODE>`sourcetype=foo | &lt;some other command(s)&gt; | search &lt;searchterms&gt;` </CODE></PRE> <P>Then there are a lot of other strange possibilities, like, to take a random example, you could have a <CODE>foo="bar"</CODE> term, and you could have it in the initial search clause, but then for some reason something could have configured INDEXED_VALUE in fields.conf to be false for that field. </P> <P>In any event, without seeing the search it's hard to speculate on the answer, but there most likely is an answer, and it's probably fixable. </P> Sat, 26 May 2012 05:11:38 GMT https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60775#M12087 sideview 2012-05-26T05:11:38Z https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60776#M12088 <P>index = perfdata | dedup LR_Run_Name</P> <P>Where LR_Run_Name is in the raw data and we extracted the field value. I checked the fields.conf and there are no indexed values in there on these fields we extracted, they all look like this</P> <P>Out of millions of rows there are only a handful of unique values in the indexed raw data.</P> <P>[sourcetype]<BR /> INDEXED = True<BR /> INDEXED_VALUE = False</P> <P>Would I add something like?<BR /> [LR_Run_Name]<BR /> INDEXED = True<BR /> INDEXED_VALUE = False</P> Mon, 28 Sep 2020 11:52:35 GMT https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/60776#M12088 Cuyose 2020-09-28T11:52:35Z https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/515761#M87338 <P>Could you please help me out how to search multiple words from raw data</P> Mon, 24 Aug 2020 12:00:53 GMT https://community.splunk.com/t5/Getting-Data-In/Index-based-on-Raw-Data/m-p/515761#M87338 Supriya 2020-08-24T12:00:53Z