Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with the efficiency of my search?

supersnedz
Path Finder
‎04-27-2023 12:52 PM

Hello,

We have recently moved over to Splunk Cloud platform and I am making a dashboard that will have panels for each of our reporting servers/tools. So for example the dashboard will have a panel to show all IPS devices reporting in, all Proxies, all windows servers etc. I have created a query to show all proxies reporting in over the week, along with a timewarp to show the difference from the week before.

 

index="siem-proxy" source="global"  |timechart dc(an) | rename dc(an) as "Proxy" | timewrap 1w | rename "Proxy_1week_before" as "Proxy Previous Week" | rename "Proxy_latest_week" as "Proxy Latest"

 

This search goes through millions of events to show 15 proxies have reported in per day, so its very slow running. Is there an easy way to make this more efficient?

 

Cheers

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2023 11:37 PM

Try doing the rename as part of the timechart rather than for every event afterwards. It won't make a big improvement but then you didn't say how much improvement you required!

index="siem-proxy" source="global"  |timechart dc(an) as "Proxy" | timewrap 1w | rename "Proxy_1week_before" as "Proxy Previous Week" | rename "Proxy_latest_week" as "Proxy Latest"

It sounds like you have a lot of data to process so the query will take a while. One way to improve the efficiency of your query is perhaps to use summary indexes. Without further details on your usecase, it is difficult to be more specific though.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...