Splunk Search

Improve Search Performance

mwdbhyat
Builder

Hi,

Ive constructed the below 5 searches to populate a dashboard, once they go onto our live systems they are going to be going through TB of data.. I need to make these searches as efficient as possible using using tstats, rest endpoints, summaries, scheduled reports and was wondering if anyone could point me in the direction of what to use and where in my searches or improve the syntax? (search noob) So far timechart is being used for all of them as they are in single value visual form with a trend arrow per month.

Total Number of Systems - 30 Days
index=test earliest=-2mon@mon | timechart span=1mon dc(host) as Hosts

Total Volume Indexed - 30 Days
index=_internal source=license_usage.log type=Usage pool= idx=test earliest=-2mon@mon | rename idx as Index | timechart span=1mon sum(b) as Bytes

Total Number of Events - 30 Days
index=test earliest=-2mon@mon| timechart span=1mon count

Total Number of Sourcetypes - 30 Days
index=test earliest=-2mon@mon| timechart span=1mon dc(sourcetype) as sourcetypes

Total Volume Per Day
index=_internal source=license_usage.log type=Usage pool= idx=test earliest=-2d@d | rename idx as Index | timechart span=1d sum(b) as Bytes

Thanks

0 Karma
1 Solution

somesoni2
Revered Legend

For every query, other than ones which are showing license_usage, you can use tstats. For license usage queries, I would sugggest to go for summary indexing/data model with accelaration.

Total Number of Systems - 30 Days

| tstats dc(host) as Hosts WHERE index=test earliest=-2mon@mon by _time span=1mon

Total Volume Indexed - 30 Days
Create a summary index with below search to run daily and then use the result of that summary index in your dashboard

index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes 

Total Number of Events - 30 Days

| tstats count WHERE index=test earliest=-2mon@mon by _time span=1mon

Total Number of Sourcetypes - 30 Days

| tstats dc(sourcetype) as sourcetypes WHERE index=test earliest=-2mon@mon by _time span=1mon 

Total Volume Per Day
Use the summary index created for "Total Volume Indexed - 30 Days"

View solution in original post

0 Karma

somesoni2
Revered Legend

For every query, other than ones which are showing license_usage, you can use tstats. For license usage queries, I would sugggest to go for summary indexing/data model with accelaration.

Total Number of Systems - 30 Days

| tstats dc(host) as Hosts WHERE index=test earliest=-2mon@mon by _time span=1mon

Total Volume Indexed - 30 Days
Create a summary index with below search to run daily and then use the result of that summary index in your dashboard

index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes 

Total Number of Events - 30 Days

| tstats count WHERE index=test earliest=-2mon@mon by _time span=1mon

Total Number of Sourcetypes - 30 Days

| tstats dc(sourcetype) as sourcetypes WHERE index=test earliest=-2mon@mon by _time span=1mon 

Total Volume Per Day
Use the summary index created for "Total Volume Indexed - 30 Days"

0 Karma

mwdbhyat
Builder

Thanks for this!! Is there any way I can keep my trend indicator arrow? They are not showing anymore now that the search has changed..They are enabled etc.

0 Karma

mwdbhyat
Builder

Quick question - shouldnt, index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes have earliest and latest set to @mon rather than @day?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...