Solved: Why does the query take so long to find time dura...

ma_anand1984 · ‎12-23-2012


index=test_index
| stats min(_time) AS earliest max(_time) AS latest
| eval duration=latest-earliest
| table duration latest earliest

When
I run this query for 30 days it takes very long to run.

Ideally shouldn't it be running fast because its max and min time and should use efficient search to get it?

jonuwz · ‎12-24-2012

The data that splunk pulls out of the indexes is governed by the initial search (everything before the 1st | )

In this case you're pulling every event for the last 30 days (from disk), then having stats operate on that dataset.

This describes the difference between streaming and non-streaming search commands

jonuwz · ‎12-24-2012

The data that splunk pulls out of the indexes is governed by the initial search (everything before the 1st | )

In this case you're pulling every event for the last 30 days (from disk), then having stats operate on that dataset.

This describes the difference between streaming and non-streaming search commands

Why does the query take so long to find time duration