I have this query to find hosts from a lookup that have zero events. There are about a 100 hosts and I can see that the query performance is slow with the use of subquery this way. Any ideas t...
Hi
I am running a heavy forwarder with HEC and it is sending data to 3 indexers. I am starting to read about ways to optimise this configuration, but I am not sure if I have all the s...
..." only returns about 300 results, but the subsearch is searching across millions of users accounts. If I removed the sub search, the outer search only takes a few seconds to complete.
Does a...
I am getting an error when using the following regex (?<=on\s)(.*)(?=\sby Firewall Settings) The error is "Error in 'rex' command: regex="(?<=on\s)(.*)(?<HostName>.*)(?=\sby Firewal...
Hi,
I've got ~15.000 events where FieldA exists (in total there are 20.000.000 events). I want to filter out these events and I'm wondering about the performance of different approaches.
Why i...
Hi All,
How can I optimize the below query? Can we convert it to tstats?
index=abc host=def* stalled
| rex field=_raw "symbol (?<symbol>.*) /"
| eval hourofday = s...
...isplay the dashboard. What constitutes a search: a data base search? or does the post search also count?
2) I did some rough counts, If I merge the 5 summary-indexes into one, there will be about 3...
...o keep clean with time and dashboards add, not satisfying.
2. Summary indexing
Summary indexing as far as i understood the way Splunk works is one of logical way to achieve optimization.
U...
I would like to use a lookup into an external database to add fields to my events, but need some advice about performance and caching of expensive lookups.
For example, say I have a log of o...
...ixes for maximum user impact.
"Optimizing the User Experience through Splunk's Synthetic Monitoring and Web Optimization Tools."
Splunk Synthetic Monitoring and Web Optimization: Enhancing U...