https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549695#M155994 <P>Take a look at the field extractor in the UI - you can get there from a raw event, via the Event Actions drop down. Splunk is great at unstructured data and it's really good to take a look at how you do field extractions, as it will help you a lot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bowesmana_0-1619648505124.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13960i7AFB4D33B199E7A9/image-size/medium?v=v2&amp;px=400" role="button" title="bowesmana_0-1619648505124.png" alt="bowesmana_0-1619648505124.png" /></span></P><P>You can extract fields based on regular expressions or delimiters, if you don't know much about regex, then <A href="https://regex101.com" target="_blank">https://regex101.com</A>&nbsp;is a good place to look to play with regex.</P><P>&nbsp;</P> Wed, 28 Apr 2021 22:23:19 GMT bowesmana 2021-04-28T22:23:19Z https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549503#M155917 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I am building a query to be able to display a line graph of status (offline, online) over a period of 30days.&nbsp; Query currently is so slow it usually doesn't finish.&nbsp; looking for assistance to see if I can do something different to speed it up.&nbsp; thanks!</P><P>&nbsp;</P><P>Current query:</P><P>index=mydata sourcetype="mySourceType" (_raw=*offline* OR _raw=*online*)&nbsp;<BR />| eval status=if(like(_raw, "%offline%"),"Offline","Online")<BR />| timechart span=1d count by status</P> Tue, 27 Apr 2021 18:02:58 GMT https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549503#M155917 dglass0215 2021-04-27T18:02:58Z https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549512#M155922 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/117218">@dglass0215</a>,<BR />You don't need to use wildcard (*) in the base search. Try the below query without the <STRONG>timechart</STRONG>&nbsp;first and check the performance. Then add timechart and check the performance.</P><LI-CODE lang="markup">index=mydata sourcetype="mySourceType" offline OR online | rex "(?&lt;status&gt;offline)" | eval status=if(status="offline","Offline","Online")</LI-CODE><P>&nbsp;</P> Tue, 27 Apr 2021 18:38:06 GMT https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549512#M155922 manjunathmeti 2021-04-27T18:38:06Z https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549560#M155942 <P>Create a field extraction where you extract the current status from raw for that sourcetype, so when you search for it, you can search for all records with status, e.g.</P><LI-CODE lang="markup">index=mydata sourcetype="mySourceType" status=* | timechart span=1d count by status</LI-CODE><P>otherwise the leading wildcard combined with _raw= is going to have to search all the data for that sourcetype for your time period. Any row that does not have an extracted status field will not be found.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Apr 2021 04:47:16 GMT https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549560#M155942 bowesmana 2021-04-28T04:47:16Z https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549614#M155962 <P>Not sure how to do that when the data is unstructured.</P> Wed, 28 Apr 2021 13:22:57 GMT https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549614#M155962 dglass0215 2021-04-28T13:22:57Z https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549615#M155963 <P>Thank you.&nbsp; This definitely helped to speed it up.</P> Wed, 28 Apr 2021 13:23:29 GMT https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549615#M155963 dglass0215 2021-04-28T13:23:29Z https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549695#M155994 <P>Take a look at the field extractor in the UI - you can get there from a raw event, via the Event Actions drop down. Splunk is great at unstructured data and it's really good to take a look at how you do field extractions, as it will help you a lot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bowesmana_0-1619648505124.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13960i7AFB4D33B199E7A9/image-size/medium?v=v2&amp;px=400" role="button" title="bowesmana_0-1619648505124.png" alt="bowesmana_0-1619648505124.png" /></span></P><P>You can extract fields based on regular expressions or delimiters, if you don't know much about regex, then <A href="https://regex101.com" target="_blank">https://regex101.com</A>&nbsp;is a good place to look to play with regex.</P><P>&nbsp;</P> Wed, 28 Apr 2021 22:23:19 GMT https://community.splunk.com/t5/Splunk-Search/Query-Performace/m-p/549695#M155994 bowesmana 2021-04-28T22:23:19Z