Hi @sajjadali1122 , you did a very large question, briefly, at first restrict as max as possible the time range of your search, avoid commands as join or transaction and be sure to have a performan...
See more...
Hi @sajjadali1122 , you did a very large question, briefly, at first restrict as max as possible the time range of your search, avoid commands as join or transaction and be sure to have a performant storage (at least 800 IOPS bettere much more!). Then, if you have a large set of data you can use some acceleration methods that you can find described at https://docs.splunk.com/Documentation/SplunkCloud/8.1.12/Knowledge/Aboutdatamodels https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Knowledge/Usesummaryindexing https://docs.splunk.com/Documentation/SplunkCloud/8.1.12/Report/Acceleratereports https://www.youtube.com/watch?v=c13phau6zxg https://docs.splunk.com/Documentation/Splunk/9.3.1/Knowledge/Acceleratetables and so on searching "accelerate" on Google. In few words, you can use a summary index in which you store the results of a scheduled search, so you can search on a reducted record or already grouped data. Or, if you have to search on structured data, you could use accelerated Data Models. Ciao. Giuseppe