I am currently creating a base search which will be used in ITSI to populate KPIs and Glass tables.

Which approach sounds better from a performance/functionality point of view?

To create entities and filter specific KPIs based on the entity


To transpose the results, "converting" each possible entity into a distinct column and separating them as a base search metric? The current result is about 500+ rows and the trend is to increase with time...

Thank you.

Splunk Employee

If you want to compare, try and let it run.
then use the scheduler.log to see the run_time of the itsi "indicator" search to see if which one is faster.

Using a Shared bases search can be an option to scale up, but as the entity filter is added after, it is sometimes expensive.

