Context: existing Splunk installation I'm working with is not very robust when handling search requests due to sheer volume of searchable events. The question here is - is there a way to make splunk disregard default sorting behavior and return first N found matches as quickly as possible? The goal here is to use this in conjunction with head clause to make search return first matches as quickly as possible - it is totally OK if events would be presented without prior by-time sorting. So the expectation is that this approach should make search near-instantaneous provided that filtering expression is broad enough and first N matches could be found very quickly.
... View more