I have a dashboard with a search that produces how much data has been indexed by Splunk for a given time range. However, due to the large amount of data being processed, this search is quite slow. I was wondering what the best method is for caching previous search results and only search from the current time to the last cache searched. For example, if I was searching how much data was indexed the past 7 days, and I had a cached search for the first 4 days, I'd like to use that cached search then add on the remaining last 3 days.
Splunk doesn't have the ability to Cache search results and use them like this per say at search time (you can look at the loadjob command and understand what I mean here.) So I believe you want to use Report Acceleration.
That has a good outline of what you have to do and what kind of searches you can use this on. There are constraints on the search you can enable this on along with how to check how much is Accelerated.