Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make search faster

kteng2024
Path Finder
‎01-08-2018 04:02 PM

Hello,

below is my search . Since i am using join , search is slow . Can i please know if there is a way to increase the speed of the search rather than absolutely specifying the index.

| tstats max(time) as lastReport WHERE splunk_server_group=abc index=*_abc* OR index=main by host | eval LastReported=strftime(lastReport,"%m/%d/%y %H:%M:%S") | table LastReported host |join host [search index=_internal hostname=* | stats count by hostname sourceIp| rename hostname as host ]

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-09-2018 02:21 AM

Hi @kteng2024

Can you please try this?

| tstats max(_time) as lastReport WHERE splunk_server_group=abc index=abc OR index=main by host 
| eval LastReported=strftime(lastReport,"%m/%d/%y %H:%M:%S") 
| fields LastReported host 
| append 
    [ search index=_internal hostname=* 
    | stats count by hostname sourceIp 
    | rename hostname as host ] | stats values(sourceIp) as sourceIp values(LastReported) as LastReported by host
0 Karma
Reply

Elsurion
Communicator
‎01-09-2018 01:55 AM

A short win is when you add

| fields hostname, sourceIp

to your search, on my system it gave me about a win of 50% searchtime from 22sec to 11sec over a period of 60mins

Other question is, what are you expecting from your search here? Just a list when a certain host has sent last it's data?

0 Karma
Reply

mayurr98
Super Champion
‎01-08-2018 08:29 PM

Have you tried doing report acceleration?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...