Splunk Search

How to accelerate search in forms?

dishasaxena
Path Finder

Is there any way to accelerate searches which are being used in forms. Since,we cannot save form searches as they contain variables, so we need to use searchstring only. So possibly there could be any way to incorporate search acceleration by using any tag or by any other means.
Could someone please help me here?

Regards,
Disha

Tags (1)
0 Karma

Ayn
Legend

How to accelerate arbitrary searches? Well this is in essence what Splunk does by its very nature 🙂

Report acceleration (and summary indexing) works by performing calculations and aggregations before searches against the data are made so that you can search against that preprocessed data instead of the raw data, trading disk space for performance. Without knowing in advance what those searches are, it's naturally not possible to do this.

The only way to do something like this I can think of off the top of my head is that if you always have some static components of your search you could divide up your search so those run on their own in the base search. Then you throw in your variables in a separate search that feeds off the initial search. Something like:

| savedsearch "Your base search" | search variable=value variable2=value2

and so on. BEWARE though that this requires the saved search that you're accelerating to be as specific as possible, otherwise you won't really get any performance boost from this - you'll only be claiming more disk space without getting any benefits.

0 Karma

dishasaxena
Path Finder

Hi Ayn,

Thanks for your answer. Your approach sounds pretty good but somehow it is not working at my end, when I am trying to run a savedseardh using savedsearch as a first command, it is not displaying any result. Any troubleshooting you suggest?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...