Re: Create a table metrices

dwibedi03 · ‎10-30-2020

I have a huge proxy logs for which need to create a monthly report since Jan 2019. Is there a way I can create the search that runs quick and I am able to create the table.

My current search

index=xyz | timechart span=1mon count by action

runs very slow for this huge data. I have also tried the datamodel route and yet the table is not getting created. Is there a way to create for each month and consolidate together in a optimized way?

richgalloway · ‎10-30-2020

Searching a huge log will almost always take a huge amount of time. Using a datamodel will help, but only if the datamodel is accelerated.

There are some basic steps you can take to speed up the search.

Start by qualifying the search. Reading everything in index xyz probably is not necessary so specify the data you want, either by source, sourcetype, or some other field.

Use the fields command to reduce the number of fields Splunk has to keep track of.

Filter your data. Once you've read events from the index, eliminate those that don't apply to your report.

Consider running the report several times over smaller time ranges (1 per quarter, perhaps). This may not be feasible for all reports.

---
If this reply helps you, Karma would be appreciated.

Create a table metrices

table

timechart

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation