hi all, i have a problem with a squid search, it is very very slow (over 30 minutes to load) the search is this:
sourcetype="squid" | timechart span="1d" sum(size)
the time for the search is 30 days. How can i speed this search?
the extraction field for the size parameter is
(?i)^[^/]*/\d+\s+(?P<size>[^ ]+)
Summary indexing is one way to speed this up. Conceptually, you tell Splunk to pre-compute this data for smaller intervals (say once per day) - and then you use that pre-computed data to complete your intended search faster.
http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing
Summary indexing is one way to speed this up. Conceptually, you tell Splunk to pre-compute this data for smaller intervals (say once per day) - and then you use that pre-computed data to complete your intended search faster.
http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing
You can find information on scheduling searches in the Splunk docs at http://www.splunk.com/base/Documentation/latest/User/SchedulingSavedSearches
how can i schedule the search every hour?