Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to do an index-only search without loading the raw event?

Lowell
Super Champion
‎06-17-2010 08:43 PM

I have a summary index search that does some simple stats (count) by host and sourcetype for WMI events. The problem I'm running into is that the search is pretty slow mostly because there are many WMI events to process. For the most part, I don't really need splunk to actually load these events since I'm simply doing some counts, so that got me thinking:

Is is possible to issue a search in splunk that doesn't actually fetch the raw event text?

In other words, I would be fine with simply getting back simply _time, source, sourcetype, and host without out incurring the overhead of actually going out to disk to fetch the full event for each and every event. (My understanding is that all those fields would be available directly within the index (.tsidx) files and therefore would need to fetch the event in the rawdata directory. I could be way off on this...)

I know that you can disable certain things like event-typing and lookups when doing a direct dispatch call, so I wasn't sure if something like this is possible or not.

Example search:

source=WMI:* | stats count as events by sourcetype, host
Tags (2)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-17-2010 08:49 PM

It's currently not possible to not read the rawdata at all. The best you can do is to run from the CLI or Advanced Charting view so that no fields are extracted from the event. We previously had a setting to only read the timestamp and source/sourcetype/host, but this was hard to make work completely in all search cases.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top