×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
zaks191
New Member
Member since: ‎07-19-2025
‎07-20-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-19-2025
View All

Re: How to Optimize Search Performance for Large-S...

by SplunkTrust in Getting Data In
‎07-24-2025 02:42 AM
‎07-24-2025 02:42 AM
3, 4 and partially 7 - not really. 3. Indexed fields - unless they contain additional metadata not present in the original events - are usually best avoided entirely. There are other ways of achieving the same result. 4. You can't use tstats instead of stats-based search just because the field is a number. It requiers specific types of data. True though that if you can use tstats instead of normal stats, it's way faster. 7. Wildcards at the beginning of search term should not be "avoided", they should not be used at all unless you have a very very very good for using them, know and understand the performance impact and can significantly limit sought through events using other means. The remark about regexes is generally valid but this is most often not the main reason for performance problems. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-20-2025 04:39 AM