Speed up Search while

splumtk1 · ‎03-04-2020

Hi Currently I have some JSON files in this structure :
{
{ Meta: .... }
{ Data: A,
B: [ {key: value_b1}, {key:value_b2} ... ]
}
In order to show the nested data properly, the JSON is transformed such each nested data is given individual Meta tags:
{
{ Meta: .... }
{ Data: B: {key:value_b1} }
}
{
{ Meta: .... }
{ Data: B: {key:value_b2} }
}
But this resulted in around 200,000 events per JSON file which slows down the dashboard searches, may I know what will be a good way to keep it to 1 events per JSON file while retaining the nested data structures?

Thank you

niketn · ‎03-04-2020

@splumtk1, if this is JSON data have you turned on INDEXED_EXTRACTION=json? If so are you using tstats in the query?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

to4kawa · ‎03-04-2020

the dashboard searches
what do you search?

to keep it to 1 events per JSON file while retaining the nested data structures?
I'm not sure what you say.
Statistics OR Events ?

If your JSON is valid, | spath is useful.
but But this resulted in around 200,000 events per JSON file
your query is not good, maybe.

Speed up Search while

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Speed up Search while

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits