Thanks alonsocaio for your response. I have changed SPL as per your comments as below host="Server1" index="performance_data" instance IN ("C:","D:","E:","F:","G:","H:") source="PerfmonMk:LogicalDisk" sourcetype="PerfmonMk:LogicalDisk" | fields _time, host, instance, Avg._Disk_Queue_Length | eval instance = substr(instance, 1, len(instance)-1) | eval Host_Instance = 'host'."-".'instance' | timechart eval(round(avg('Avg._Disk_Queue_Length'),2)) AS "Avg. Disk Queue Length" BY Host_Instance limit=0 But still the SPL took around 10 mins to load and the chart keeps on dancing while it loads. Even if I just fetch the events using base search and without any further command after |, still it takes significant amount of time. Job takes "This search has completed and has returned 7 results by scanning 9,184,627 events " Is this normal for these many count of events? The index has data for various sourcetypes and its size is 700+ GB. Could there be any problem with index or need additional IX in the cluster. Currently there are 4 indexers in cloud deployment which is managed by Splunk.
... View more