Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Is it possible to do an index-only search without loading the raw event?

Lowell
Super Champion
‎06-17-2010 08:43 PM

I have a summary index search that does some simple stats (count) by host and sourcetype for WMI events. The problem I'm running into is that the search is pretty slow mostly because there are many WMI events to process. For the most part, I don't really need splunk to actually load these events since I'm simply doing some counts, so that got me thinking:

Is is possible to issue a search in splunk that doesn't actually fetch the raw event text?

In other words, I would be fine with simply getting back simply _time, source, sourcetype, and host without out incurring the overhead of actually going out to disk to fetch the full event for each and every event. (My understanding is that all those fields would be available directly within the index (.tsidx) files and therefore would need to fetch the event in the rawdata directory. I could be way off on this...)

I know that you can disable certain things like event-typing and lookups when doing a direct dispatch call, so I wasn't sure if something like this is possible or not.

Example search:

source=WMI:* | stats count as events by sourcetype, host
Tags (2)
0 Karma
Reply
Highlighted

Re: Is it possible to do an index-only search without loading the raw event?

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-17-2010 08:49 PM

It's currently not possible to not read the rawdata at all. The best you can do is to run from the CLI or Advanced Charting view so that no fields are extracted from the event. We previously had a setting to only read the timestamp and source/sourcetype/host, but this was hard to make work completely in all search cases.

Reply