Archive
Highlighted

Disabling eventtypes on a per-query basis?

Splunk Employee
Splunk Employee

I've got a long-running search that's spending more time than necessary in command.search.typer. I say more time than necessary because I'm not referencing the eventtypes at all, whether as a field nor as part of my search string. I've tried the fields - eventtype strategy listed here, but I still see time spent in command.search.typer.

Anything else I can try to temporarily disable eventtypes?

(Splunk version is 4.3.6.)

Tags (1)
Highlighted

Re: Disabling eventtypes on a per-query basis?

Splunk Employee
Splunk Employee

try this:

| fields - eventtype, tag::eventtype

0 Karma
Highlighted

Re: Disabling eventtypes on a per-query basis?

Splunk Employee
Splunk Employee

Sadly, that doesn't work, either.

0 Karma
Highlighted

Re: Disabling eventtypes on a per-query basis?

Splunk Employee
Splunk Employee

I suppose you can always do ...| fields [list of necessary fields ONLY] | ....

View solution in original post

Highlighted

Re: Disabling eventtypes on a per-query basis?

Splunk Employee
Splunk Employee

Once I limited the search to just the fields I wanted, typer doesn't show up in job inspector. Thanks!

0 Karma