Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to save calculated fields in index for faster results

disha
Contributor
‎04-22-2013 01:34 PM

I am getting events like _time,boxid,MemoryUsage(bytes),filed1,field2,..

I need to run the search something like
...|spath|rename BOXID as ID,MU as mu|eval mu1=round((mu/1024),2)|timechart limit=0 first(mu1) by ID

for last 7 days or more this chart take so much time to load. Can I calculate mu1 (memory usage in mb) and write the value to splunk in advance so that at the time of chart loading, I just read the value and display.

Please suggest.

Thanks,
Disha

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-22-2013 01:45 PM

Well, yes, of course.

Have a look at Accelerated Searches or Summary Indexing.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Aboutsummaryindexing

Just saving the results of the calculation round((mu/1024),2) won't improve performance significantly.

/K

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...