https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594663#M206979 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR /><BR />That was really quick and helpful.<BR />Also, is there is any possibility if we can modify time range setting in such a way that is do not overlap the data.<BR /><BR />Like currently, its running everyday and resulting 30 days of data since time range is set as of 30 days.</P> Thu, 21 Apr 2022 12:57:33 GMT nilbak88 2022-04-21T12:57:33Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594654#M206975 <P>Hi All,<BR /><BR />One of my scheduled report is quite expensive.<BR />It runs everyday from Monday to Friday and results in 30 days worth of data.<BR /><BR />Search Query<BR />index=abc_* | stats count by index,host<BR /><BR />How can I improve its search efficiency?<BR />Please suggest .</P> Thu, 21 Apr 2022 14:43:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594654#M206975 nilbak88 2022-04-21T14:43:22Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594656#M206976 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231835">@nilbak88</a>,</P><P>if in your search you have to use only index and host, you can use | metasearch for faster searches:</P><LI-CODE lang="markup">| metasearch index=abc_* | stats count by index host</LI-CODE><P>for more infos see at&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Metasearch" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Metasearch</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 21 Apr 2022 12:17:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594656#M206976 gcusello 2022-04-21T12:17:29Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594663#M206979 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR /><BR />That was really quick and helpful.<BR />Also, is there is any possibility if we can modify time range setting in such a way that is do not overlap the data.<BR /><BR />Like currently, its running everyday and resulting 30 days of data since time range is set as of 30 days.</P> Thu, 21 Apr 2022 12:57:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594663#M206979 nilbak88 2022-04-21T12:57:33Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594670#M206982 <P>You could put your daily counts into a summary index, then create a report which sums counts from the summary index for the last 30 days</P> Thu, 21 Apr 2022 13:21:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594670#M206982 ITWhisperer 2022-04-21T13:21:03Z https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594671#M206983 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231835">@nilbak88</a>&nbsp;,</P><P>if you want to fix the time range e.g. from the last 30 days to the end of yestarday, you could add some time modifiers like this:</P><LI-CODE lang="markup">| metasearch index=abc_* earliest=-30d@d latest=@d | stats count by index host</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 21 Apr 2022 13:21:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-improve-efficiency-of-a-Splunk-search/m-p/594671#M206983 gcusello 2022-04-21T13:21:53Z