I have a multi search command that searches 4 weeks of data to display as a stats table in my dashbaord. The problem is that the search takes way to long. I do not think streamstats or eventstats work for this type of search. I have read up on summary indexes and data models. Would data models increase speed? and how would I create models?
Please share your current search so we can look at it and make suggestions. Perhaps streamstats or eventstats will work.
A datamodel by itself will not increase speed, but an accelerated datamodel most likely would.
To create a datamodel, go to Settings->Data models and click the green New Data Model button. Fill in form and click Create. From there it gets a little involved and you're better off following the existing instructions at https://docs.splunk.com/Documentation/Splunk/8.0.6/Knowledge/Designdatamodelobjects
| multisearch
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime$ latest=$latestTime$
| eval label=xxx
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime1$ latest=$latestTime1$
| eval _time=_time+60*60*24*7
| eval label=xxx
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime2$ latest=$latestTime2$
| eval _time=_time+60*60*24*14
| eval label=xxx
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime3$ latest=$latestTime3$
| eval _time=_time+60*60*24*21
| eval label=xxx
| fields -_raw _time ecn label ]
[ search index=xxx sourcetype=xxx xxx earliest=$earliestTime4$ latest=$latestTime4$
| eval _time=_time+60*60*24*28
| eval label=xxx
| fields -_raw _time ecn label ]
| bin _time span=5m
| chart dc(ecn) over _time by label