Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Create a table metrices

dwibedi03
Explorer
‎10-30-2020 10:43 AM

I have a huge proxy logs for which need to create a monthly report since Jan 2019. Is there a way I can create the search that runs quick and I am able to create the table.

My current search 

index=xyz | timechart span=1mon count by action 

runs very slow for this huge data. I have also tried the datamodel route and yet the table is not getting created. Is there a way to create for each month and consolidate together in a optimized way?

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2020 01:47 PM

Searching a huge log will almost always take a huge amount of time.  Using a datamodel will help, but only if the datamodel is accelerated.

There are some basic steps you can take to speed up the search.

Start by qualifying the search.  Reading everything in index xyz probably is not necessary so specify the data you want, either by source, sourcetype, or some other field.

Use the fields command to reduce the number of fields Splunk has to keep track of.

Filter your data.  Once you've read events from the index, eliminate those that don't apply to your report.

Consider running the report several times over smaller time ranges (1 per quarter, perhaps).  This may not be feasible for all reports.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...