This will partly depend on what proportion of the total data you are looking to exclude. If the excluded proctitles are a significant proportion of the data, then using a post process where or regex ...
See more...
This will partly depend on what proportion of the total data you are looking to exclude. If the excluded proctitles are a significant proportion of the data, then using a post process where or regex clause may not perform so well, but you will have to play with that. Setting tags will still involve a search time extraction to evaluate the tag, so under the hood the search is being done. You might want to look at the TERM directive - see this link https://conf.splunk.com/files/2020/slides/PLA1089C.pdf You will need to understand what constitutes a TERM in your data and whether that will work for your use case, but that can significantly improve performance. When you are looking at this type of performance issue, go look at the job properties in the job inspector - look at scan count values - the more you scan, the more data you are having to check. You could go down the indexed extraction route where you set a field at index time, but that is somewhat static and if you need to exclude a new proctitle, then that won't help, but it will improve search performance at the cost of index performance and disk space.