Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Speed Optimization

kishan2356
Explorer
‎09-15-2020 11:44 AM

I have a multi search command that searches 4 weeks of data to display as a stats table in my dashbaord. The problem is that the search takes way to long. I do not think streamstats or eventstats work for this type of search. I have read up on summary indexes and data models. Would data models increase speed? and how would I create models? 

Labels (1)
Labels
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-15-2020 04:49 PM

Please share your current search so we can look at it and make suggestions.  Perhaps streamstats or eventstats will work.

A datamodel by itself will not increase speed, but an accelerated datamodel most likely would.

To create a datamodel, go to Settings->Data models and click the green New Data Model button.  Fill in form and click Create.  From there it gets a little involved and you're better off following the existing instructions at https://docs.splunk.com/Documentation/Splunk/8.0.6/Knowledge/Designdatamodelobjects

---
If this reply helps you, Karma would be appreciated.
Reply

kishan2356
Explorer
‎09-21-2020 07:24 AM

| multisearch
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime$ latest=$latestTime$
| eval label=xxx
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime1$ latest=$latestTime1$
| eval _time=_time+60*60*24*7
| eval label=xxx 
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime2$ latest=$latestTime2$
| eval _time=_time+60*60*24*14 
| eval label=xxx 
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime3$ latest=$latestTime3$
| eval _time=_time+60*60*24*21 
| eval label=xxx 
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime4$ latest=$latestTime4$
| eval _time=_time+60*60*24*28 
| eval label=xxx 
| fields -_raw _time ecn label ]
| bin _time span=5m
| chart dc(ecn) over _time by label

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...