Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make search faster

kteng2024
Path Finder
‎01-08-2018 04:02 PM

Hello,

below is my search . Since i am using join , search is slow . Can i please know if there is a way to increase the speed of the search rather than absolutely specifying the index.

| tstats max(time) as lastReport WHERE splunk_server_group=abc index=*_abc* OR index=main by host | eval LastReported=strftime(lastReport,"%m/%d/%y %H:%M:%S") | table LastReported host |join host [search index=_internal hostname=* | stats count by hostname sourceIp| rename hostname as host ]

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-09-2018 02:21 AM

Hi @kteng2024

Can you please try this?

| tstats max(_time) as lastReport WHERE splunk_server_group=abc index=abc OR index=main by host 
| eval LastReported=strftime(lastReport,"%m/%d/%y %H:%M:%S") 
| fields LastReported host 
| append 
    [ search index=_internal hostname=* 
    | stats count by hostname sourceIp 
    | rename hostname as host ] | stats values(sourceIp) as sourceIp values(LastReported) as LastReported by host
0 Karma
Reply

Elsurion
Communicator
‎01-09-2018 01:55 AM

A short win is when you add

| fields hostname, sourceIp

to your search, on my system it gave me about a win of 50% searchtime from 22sec to 11sec over a period of 60mins

Other question is, what are you expecting from your search here? Just a list when a certain host has sent last it's data?

0 Karma
Reply

mayurr98
Super Champion
‎01-08-2018 08:29 PM

Have you tried doing report acceleration?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...